tag and we can use javascript protocol on the href at...">
The whole project is using “vtlib_purify” for the sanitization of user inputs. It does a good job while stripping HTML tags like <script>
<svg>
etc. However, it allows <a>
tag and we can use javascript
protocol on the href
attribute via changing :
character to :
.
So, our final payload is <a href>click
For example, the file “NewReport0” is using “vtlib_purify” for the “reportmodule” parameter and prints the user’s input after sanitization.
We can get the XSS using the payload above.
https://demo.corebos.com/index.php?module=Reports&action=ReportsAjax&file=NewReport0&reportmodule=%3Ca+href=javascript%26colon;alert(document.domain)%3ECLICK%20ME
We can also get stored XSS in comments. Check the https://demo.corebos.com/index.php?module=Accounts&action=DetailView&record=87 , you will see a comment created by me that includes XSS.