Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
Reported on
Jun 30th 2021
✍️ Description
There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add the invoice. when a comment is added during the creation of invoices by any user then due to improper sanitization XSS payload gets triggered.
🕵️♂️ Proof of Concept
Video POC:
https://drive.google.com/file/d/1bC9YJFV08fltA23sPJSgIT0JTYU39NjR/view?usp=sharing
Payload: '''><svg/onload=prompt(5)>
💥 Impact
Stored XSS, steal other user's cookies, session hijacking of any user who visits that malicious invoice injected by XSS payload.
Occurrences
I'm unable to reproduce this issue. Please note that the code you linked to is from an older version of OIS. I tested this payload on the latest release and was unable to reproduce the vulnerability.
I cloned the latest repo frok github and then tested the application Also as you said latest release i will download it from release section and then retest it and will let you know sir As per this report: Steps to reproduce:
- Start the server
- Login into the user who has permission to make invoices
- enter the given payload in the comment box
- save the invoice and you will see pop up
Also as you said latest release i will download it from release section and then retest it and will let you know Thanks. I'll wait for your report.
Hello, @maintainer I just check the latest version also the payload is getting executed with the same payload. Video POC from downloading the latest version to exploitation. https://drive.google.com/file/d/1Dbw5vSli6srWXgMcn2T4dFEGaNB-VvfJ/view?usp=sharing
Sorry @x3rz for the long delay .. I have tons of tasks :/
Thanks for the detailed recording .. I see you're using v5.0 .. I made several commits after that release but didn't tag them yet. However, I did revert to v5.0 to try to retest this issue and added exactly the same payload '''><svg/onload=prompt(5)> into the invoice comments field but didn't see this issue happening ..
I checked the source code of the browser page to see how the payload is placed and here is the source code:
<textarea name="comments" id="comments" rows="5">'''><svg/onload=prompt(5)><br></textarea>
I'm not sure if the above is going to display correctly in the comments area of the huntr page, but anyway what I see is that the svg tag gets changed to HTML special characters, and so there is no code to execute ...
So, this it's really puzzling to watch the screencast you recorded and see the clear XSS issue showing in it .. maybe it's related to a PHP version issue? I'm using PHP 7.0 during my test.
Thank you for your reply and sir i am using PHP 7 myself and i am still able to reproduce it i just checked it Can you please type it manually in the comment box? because i tried copy paste and it didn't work in that case but it works when i type it in manually
i am using brave browser can current version of online invoicing system
OK, I tried manually typing the payload into the comment box (and also the address box), clicke Save .. no alerts :/ Here is a screencast of what I tried: https://cdn.bigprof.com/screencasts/xss-test.mp4
I checked the page source code again to see how the payload is stored and here it is: <textarea name="comments" id="comments" rows="5">'''>svg/onload=prompt(5)><br></textarea>
Could this be a bug in brave browser? Could you try Firefox or Chrome if possible?
OK, I guess I was able to finally reproduce the issue after slightly modifying the payload to xss"'><img src=x onerror=alert()>