CVE-2023-43458 - Stored Cross-Site Scripting (XSS)
About the Application
This simple project is entitled Resort Reservation System v.1.0. It is a simple web application that provides an automated platform for certain resort management to easily store and retrieve reservation records. It was mainly developed using PHP Language and SQLite3 Database. It has a simple and pleasant user interface using Bootstrap v5 Framework. The project contains CRUD (Create, Read, Update, and Delete) Operations and user-friendly features and functionalities.
This Resort Reservation System v.1.0 was mainly developed and can only be accessed by the resort management. Here, resort management can dynamically list all the rooms/cottages and extra fees that are available at their resort. They can simply encode or store their customer reservation records along with some other charges. Using the system, users can encode first the customer reservation details and the room or cottage they wanted to take and add extra fees or charges when the customer checked in.
Vulnerability Description
Cross Site Scripting vulnerability in Resort Reservation System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the room, name, and description parameters in the /php-sqlite-rrs/?page=manage_room.
Vulnerable Code
Filename: /php-sqlite-rrs/manage_room.php
Vulnerable Endpoint: /php-sqlite-rrs/?page=manage_room
Vulnerable Parameter: room, name and descripton
Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<form action="" id="room-form">
<input type="hidden" name="formToken" value="<?= $_SESSION['formToken']['room-form'] ?>">
<input type="hidden" name="room_id" value="<?= $data['room_id'] ?? '' ?>">
<div class="mb-3">
<label for="room_no" class="text-body-tertiary">Room/Cottage Number</label>
<input type="text" class="form-control rounded-0" id="room_no" name="room_no" required="required" autofocus value="<?= $data['room_no'] ?? "" ?>" >
</div>
<div class="mb-3">
<label for="name" class="text-body-tertiary">Name</label>
<input type="text" class="form-control rounded-0" id="name" name="name" required="required" value="<?= $data['name'] ?? "" ?>">
</div>
<div class="mb-3">
<label for="description" class="text-body-tertiary">Description</label>
<textarea rows="5" class="form-control rounded-0" id="description" name="description" required="required" ><?= $data['description'] ?? "" ?></textarea>
</div>
<div class="mb-3">
<label for="price" class="text-body-tertiary">Price</label>
<input type="number" step="any" class="form-control rounded-0" id="price" name="price" value="<?= $data['price'] ?? "" ?>">
</div>
<div class="mb-3">
<label for="status" class="text-body-tertiary">Status</label>
<select class="form-select rounded-0" id="status" name="status">
<option value="0" <?= isset($data['status']) && $data['status'] == 0 ? "selected" : "" ?>>Inactive</option>
<option value="1" <?= isset($data['status']) && $data['status'] == 1 ? "selected" : "" ?>>Active</option>
</select>
</div>
</form>
When users input their names, such as their room, name, and description, the website neglects the critical step of sanitizing this information to ensure it’s free from potentially harmful characters before storing it in the backend. This oversight creates a security vulnerability known as ‘Stored Cross-Site Scripting’ (Stored XSS), especially concerning these name parameters.
Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs in web applications when user input, often in the form of text or other content, is not properly sanitized or validated before being stored on the server and then later displayed to other users. This vulnerability allows attackers to inject malicious scripts, typically in the form of JavaScript code, into the application’s data storage. When other users retrieve and view this data, the injected script code is executed within their browsers, potentially leading to a range of malicious actions.
Impact of Stored Cross-Site Scripting
The impacts of Stored Cross-Site Scripting (Stored XSS) are mentioned below:
Session Hijacking: Attackers can hijack user sessions, gaining unauthorized access to accounts and allowing them to perform actions on behalf of users or access confidential data.
Manipulation of Web Pages: Stored XSS can alter the appearance and functionality of web pages, potentially tricking users into executing unintended actions, clicking on malicious links, or downloading malware.
Attack Scenario
- Go to
http://application ip/php-sqlite-rrs/?page=manage_room.
- Provide payload as
"><script>alert("XSS on Room"),"><script>alert("XSS on Name"),"><script>alert("XSS on Description")on parameter such asroom_no,nameanddescriptionrespectively.
Room’s Detail
Click on Save.
You will observe the popup of each payload we provided.
XSS on Room
XSS on Name
XSS on Description
Remediation
Mitigating stored cross-site scripting (XSS) vulnerabilities is crucial for securing web applications. To prevent stored XSS, follow these best practices:
Whitelist Input: Only allow specific, safe characters and patterns in user input. Reject any input that doesn’t conform to this whitelist.
Data Sanitization: Filter and clean user input to remove or encode any potentially malicious characters. Use libraries like OWASP’s Java Encoder, PHP’s htmlspecialchars, or equivalent functions in other languages.
Sanitization Libraries: Use security libraries and frameworks that provide built-in XSS prevention mechanisms, such as Ruby on Rails, Django, or AngularJS.
Use HTTP-Only Cookies: Mark cookies as HTTP-only to prevent JavaScript from accessing them, reducing the impact of XSS attacks.
Session Management: Implement secure session management to ensure that session cookies and tokens are properly protected and rotated.
Security Headers: Use security headers like
X-XSS-ProtectionandX-Content-Type-Optionsto instruct browsers to mitigate certain types of attacks.
That’s all in this writeup.
Thanks for reading this far. If you enjoyed the writeup, do support me here.