Description

Hello Team,

Hope you are doing well.

I have found a stored cross-site scripting vulnerability in the network maps edit functionality.

What is stored cross site scripting attack?

Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums, blog comments, user profiles and username fields. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. The victim visits the page and the payload is executed client side by the victims web browser.

Steps:

Proof of Concept

• As a low privilege user (manager in this case), create a network map containing name as xss payload given below.
• Once created, admin user must click on the edit network maps
• XSS payload will be executed, which could be used for stealing admin users cookie value.

POC Link: https://drive.google.com/drive/folders/1l_jvDKS3DvWKICwCMw1P0ntSyaTlIcCX?usp=sharing

Payload used: "><img src=x onerror=alert(document.cookie)>

Impact

• Perform any action within the application that the user can perform.
• View any information that the user is able to view.
• Modify any information that the user is able to modify.
• Session hijacking as the JavaScript code can easily access session cookie since the httponly flag is set to false.

Mitigation:

• Implement security headers such as X-XSS-Protection,CSP for added layer of protection.
• Proper input validation and sanitization should be performed.
• Proper output encoding should be performed.