Vehicle Service Management System – ‘Multiple’ Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)
December 29, 2021
CVE, Vulnerability, Web Penetration Testing
Cyber Security Engineer
Information Security Analyst
Security Researcher
Full Stack Developer
Cyber Security Engineer
Information Security Analyst
Security Researcher
Full Stack Developer
Exploit Title: Vehicle Service Management System – ‘Multiple’ Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)
Exploit Author: P.L.Sanu
CVE: CVE-2021-46080
CVSS: 4.8 MEDIUM
References:
https://www.plsanu.com/vehicle-service-management-system-multiple-cross-site-request-forgery-csrf-leads-to-stored-cross-site-scripting-xss
https://nvd.nist.gov/vuln/detail/CVE-2021-46080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46080
Description:
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
Exploit:
1. Visit the admin panel http://localhost/vehicle_service/admin
2. Create two admin accounts.
3. Login the Admin-1 account in Browser A (Chrome)
4. Login the Admin-2 account in Browser B (Firefox)
5. In Admin-1 account(Chrome) navigate to the Mechanic List section and click on Create New button.
6. Inject the below payload in Full Name input field.
"><script>alert(document.cookie)</script>
7. Click on Save button.
8. Capture the request in burpsuite and generate the CSRF Html File.
9. Save the CSRF Html file For Ex: CSRF.html
10. In Browser B (Firefox) browse the CSRF.html file.
11. Navigate to the Mechanic List section in Browser B (Firefox).
12. Malicious javascript code triggered.
Exploit:
1. Visit the admin panel http://localhost/vehicle_service/admin
2. Create two admin accounts.
3. Login the Admin-1 account in Browser A (Chrome)
4. Login the Admin-2 account in Browser B (Firefox)
5. In Admin-1 account(Chrome) navigate to the Service Requests section and click on Create New button.
6. Inject the below payload in Owner Contact input field.
"><script>alert(document.cookie)</script>
7. Click on Save Request button.
8. Capture the request in burpsuite and generate the CSRF Html File.
9. Save the CSRF Html file For Ex: CSRF.html
10. In Browser B (Firefox) browse the CSRF.html file.
11. Navigate to the Service Requests section in Browser B (Firefox).
12. Choose the newly created Service Requests and click on Action under View.
13. Malicious javascript code triggered.
Exploit:
1. Visit the admin panel http://localhost/vehicle_service/admin
2. Create two admin accounts.
3. Login the Admin-1 account in Browser A (Chrome)
4. Login the Admin-2 account in Browser B (Firefox)
5. In Admin-1 account(Chrome) navigate to the Category List section and click on Create New button.
6. Inject the below payload in Category Name input field.
"><script>alert(document.cookie)</script>
7. Click on Save button.
8. Capture the request in burpsuite and generate the CSRF Html File.
9. Save the CSRF Html file For Ex: CSRF.html
10. In Browser B (Firefox) browse the CSRF.html file.
11. Navigate to the Category List section in Browser B (Firefox).
12. Malicious javascript code triggered.
Exploit:
1. Visit the admin panel http://localhost/vehicle_service/admin
2. Create two admin accounts.
3. Login the Admin-1 account in Browser A (Chrome)
4. Login the Admin-2 account in Browser B (Firefox)
5. In Admin-1 account(Chrome) navigate to the Service List section and click on Create New button.
6. Inject the below payload in Service Name input field.
"><script>alert(document.cookie)</script>
7. Click on Save button.
8. Capture the request in burpsuite and generate the CSRF Html File.
9. Save the CSRF Html file For Ex: CSRF.html
10. In Browser B (Firefox) browse the CSRF.html file.
11. Navigate to the Service List section in Browser B (Firefox).
12. Malicious javascript code triggered.
Exploit:
1. Visit the admin panel http://localhost/vehicle_service/admin
2. Create two admin accounts.
3. Login the Admin-1 account in Browser A (Chrome)
4. Login the Admin-2 account in Browser B (Firefox)
5. In Admin-1 account(Chrome) navigate to the User List section and click on Create New button.
6. Inject the below payload in First Name input field.
"><script>alert(document.cookie)</script>
7. Click on Save button.
8. Capture the request in burpsuite and generate the CSRF Html File.
9. Save the CSRF Html file For Ex: CSRF.html
10. In Browser B (Firefox) browse the CSRF.html file.
11. Navigate to the User List section in Browser B (Firefox).
12. Malicious javascript code triggered.
Exploit:
1. Visit the admin panel http://localhost/vehicle_service/admin
2. Create two admin accounts.
3. Login the Admin-1 account in Browser A (Chrome)
4. Login the Admin-2 account in Browser B (Firefox)
5. In Admin-1 account(Chrome) navigate to the Settings section.
6. Inject the below payload in System Name input field.
"><script>alert(document.cookie)</script>
7. Click on Update button.
8. Capture the request in burpsuite and generate the CSRF Html File.
9. Save the CSRF Html file For Ex: CSRF.html
10. In Browser B (Firefox) browse the CSRF.html file.
11. Navigate to the Settings section in Browser B (Firefox).
12. Malicious javascript code triggered.
Impact:
Cross-Site Request Forgery vulnerability exists in Multiple endpoints it leads to Stored Cross Site Scripting Vulnerability.
Mitigation:
It is recommended to implement the following: