CVE-2021-46073: Vehicle Service Management System - 'User List' Stored Cross Site Scripting (XSS) - P.L.SANU

Vehicle Service Management System - ‘User List’ Stored Cross Site Scripting (XSS)

Description:
Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the User List Section in login panel. Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

Steps to Reproduce:
1. Login to the admin panel http://localhost/vehicle_service/admin
2. Navigate to User List section and click on Create New button.
3. Inject the payload “><script>alert(document.cookie)</script> in First Name & Last Name input field.
4. Click on Save button.
5. Malicious javascript code triggered.

Impact:
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.
In terms of exploitability, the key difference between reflected and stored XSS is that a stored XSS vulnerability enables attacks that are self-contained within the application itself. The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit

Mitigation:
Preventing XSS requires separation of untrusted data from active browser content.
This can be achieved by:

• Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.
• Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet ‘XSS Prevention’ has details on the required data escaping techniques.
• Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context sensitive escaping techniques can be applied to browser APIs.
• Enabling a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks).

References:

• https://github.com/plsanu/Vehicle-Service-Management-System-User-List-Stored-Cross-Site-Scripting-XSS
• https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
• https://portswigger.net/web-security/cross-site-scripting/stored