Snapforce CRM 8.3.0 Cross Site Scripting

`Hello Team,  
  
Greetings. there is list of xss vulnerabilities and Concurrent login  
vulnerabilities are in snapforce  
<https://crm.snapforce.com/prodigy/login.php?timeout> (version 8.3.0)  
application.  
  
  
  
*Vulnerability List: *  
  
1. Stored Cross Site Scripting  
  
2. Stored Cross Site Scripting thorough UI Redirection.  
  
3 Concurrent Login are Allowed  
  
*Effected URL: *  
  
https://crm.snapforce.com/prodigy/login.php  
  
  
  
*Steps to reproduce:*  
  
1.Login to application using https://crm.snapforce.com/prodigy/login.php  
  
2. Goto the Accounts creation location and create new Account.  
  
3. Fill all required parameters and insert XSS payload in description  
location and save it.  
  
4. once you saved the xss payload in description location cross site  
scripting payload can execute.  
  
5. application can redirect to attacker application my case i have  
redirected to google.com page  
  
6. for more information please see attached file  
  
  
  
*Payloads:*  
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
<script>document.location='https://google.com'</script>  
  
*Mitigation:*  
  
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet  
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.owasp.org_index.php_XSS-5F-28Cross-5FSite-5FScripting-29-5FPrevention-5FCheat-5FSheet&d=DwMFaQ&c=0DdzT34RfO2GGahVO5PumQ&r=8BdtPm_N-eOWc3EZEL8jVSXu4k5FAchn6mFgL-Knnhk&m=vCgg57fKEnLqhRpyRjhiXZxSZ258jYrO_CX_VtudPYo&s=zSunO4Eh5lUFVUfM2fblWQ2XLe-woCC3pG3gz4_fb10&e=>  
  
  
  
• Output encoding: It is recommended to implement ‘output encoding’ to  
convert untrusted input into a safe form where the input is displayed as  
data to the user without executing as code in the browser.  
  
  
  
Java HTML encoding Function  
  
public static String HTMLEncode(String aTagFragment){  
  
final StringBuffer result = new StringBuffer();  
  
final StringCharacterIterator iterator = new  
  
StringCharacterIterator(aTagFragment);  
  
char character = iterator.current();  
  
while (character != StringCharacterIterator.DONE )  
  
{  
  
if (character == '<') result.append("<");  
  
else if (character == '>') result.append(">");  
  
else if (character == '\"') result.append(""");  
  
else if (character == '\'') result.append("'");  
  
else if (character == '\\') result.append("\");  
  
else if (character == '&') result.append("&");  
  
else {  
  
//the char is not a special one  
  
//add it to the result as is  
  
result.append(character);  
  
}  
  
character = iterator.next();  
  
}  
  
return result.toString();  
  
}  
  
  
  
• Escaping: Escape all untrusted data based on the HTML context (body,  
attribute, JavaScript, CSS, or URL) that the data will be placed into.  
  
EASPI API  
  
String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input"  
) );  
  
  
  
• Filtering input parameter: Positive or "whitelist" input validation with  
appropriate canonicalization is the recommended filtering technique.  
Alternatively, black-list filtering input works by removing some or all  
special characters from your input. Special characters are characters that  
enable script to be generated within an HTML stream. Special characters  
include the following:  
  
<> " ' % ; ) ( & + -  
  
JavaScript Codefunction RemoveBad(strTemp) {  
  
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");  
  
return strTemp;  
  
}  
`