{"id": "PACKETSTORM:154195", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Snapforce CRM 8.3.0 Cross Site Scripting", "description": "", "published": "2019-08-22T00:00:00", "modified": "2019-08-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/154195/Snapforce-CRM-8.3.0-Cross-Site-Scripting.html", "reporter": "Prasad Lingamaiah", "references": [], "cvelist": [], "lastseen": "2019-08-23T05:44:08", "viewCount": 111, "enchantments": {"dependencies": {}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/154195/snapforce830-xss.txt", "sourceData": "`Hello Team, \n \nGreetings. there is list of xss vulnerabilities and Concurrent login \nvulnerabilities are in snapforce \n<https://crm.snapforce.com/prodigy/login.php?timeout> (version 8.3.0) \napplication. \n \n \n \n*Vulnerability List: * \n \n1. Stored Cross Site Scripting \n \n2. Stored Cross Site Scripting thorough UI Redirection. \n \n3 Concurrent Login are Allowed \n \n*Effected URL: * \n \nhttps://crm.snapforce.com/prodigy/login.php \n \n \n \n*Steps to reproduce:* \n \n1.Login to application using https://crm.snapforce.com/prodigy/login.php \n \n2. Goto the Accounts creation location and create new Account. \n \n3. Fill all required parameters and insert XSS payload in description \nlocation and save it. \n \n4. once you saved the xss payload in description location cross site \nscripting payload can execute. \n \n5. application can redirect to attacker application my case i have \nredirected to google.com page \n \n6. for more information please see attached file \n \n \n \n*Payloads:* \n';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> \n \n<script>document.location='https://google.com'</script> \n \n*Mitigation:* \n \nhttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet \n<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.owasp.org_index.php_XSS-5F-28Cross-5FSite-5FScripting-29-5FPrevention-5FCheat-5FSheet&d=DwMFaQ&c=0DdzT34RfO2GGahVO5PumQ&r=8BdtPm_N-eOWc3EZEL8jVSXu4k5FAchn6mFgL-Knnhk&m=vCgg57fKEnLqhRpyRjhiXZxSZ258jYrO_CX_VtudPYo&s=zSunO4Eh5lUFVUfM2fblWQ2XLe-woCC3pG3gz4_fb10&e=> \n \n \n \n\u2022 Output encoding: It is recommended to implement \u2018output encoding\u2019 to \nconvert untrusted input into a safe form where the input is displayed as \ndata to the user without executing as code in the browser. \n \n \n \nJava HTML encoding Function \n \npublic static String HTMLEncode(String aTagFragment){ \n \nfinal StringBuffer result = new StringBuffer(); \n \nfinal StringCharacterIterator iterator = new \n \nStringCharacterIterator(aTagFragment); \n \nchar character = iterator.current(); \n \nwhile (character != StringCharacterIterator.DONE ) \n \n{ \n \nif (character == '<') result.append(\"<\"); \n \nelse if (character == '>') result.append(\">\"); \n \nelse if (character == '\\\"') result.append(\"\"\"); \n \nelse if (character == '\\'') result.append(\"'\"); \n \nelse if (character == '\\\\') result.append(\"\\\"); \n \nelse if (character == '&') result.append(\"&\"); \n \nelse { \n \n//the char is not a special one \n \n//add it to the result as is \n \nresult.append(character); \n \n} \n \ncharacter = iterator.next(); \n \n} \n \nreturn result.toString(); \n \n} \n \n \n \n\u2022 Escaping: Escape all untrusted data based on the HTML context (body, \nattribute, JavaScript, CSS, or URL) that the data will be placed into. \n \nEASPI API \n \nString safe = ESAPI.encoder().encodeForHTML( request.getParameter( \"input\" \n) ); \n \n \n \n\u2022 Filtering input parameter: Positive or \"whitelist\" input validation with \nappropriate canonicalization is the recommended filtering technique. \nAlternatively, black-list filtering input works by removing some or all \nspecial characters from your input. Special characters are characters that \nenable script to be generated within an HTML stream. Special characters \ninclude the following: \n \n<> \" ' % ; ) ( & + - \n \nJavaScript Codefunction RemoveBad(strTemp) { \n \nstrTemp = strTemp.replace(/\\<|\\>|\\\"|\\'|\\%|\\;|\\(|\\)|\\&|\\+|\\-/g,\"\"); \n \nreturn strTemp; \n \n} \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645425878, "score": 1659814272}, "_internal": {"score_hash": "272cbea7ce06000bbfc2c570cb181ec9"}}