1

I am new to InfoSec and am trying to learn and try things for myself. I am exploring vulnerabilities in phpBB version 2.0.15.

I have used OWASP ZAP to scan the site, and I have discovered

XSS (Reflected) POST Vulnerability

I can work out that the postorder parameter is exploited with JavaScript, and in this case, should just show an alert popup on the screen.

I am trying to replicate this myself, using the URL and seeing the popup in my browser, however i cant seem to manage.

http://localhost/phpbb2/viewtopic.php?sid=d0788fd3d4b38af8f932ebea058dcb99&start=0&t=1&postdays=0&postorder=javascript%3Aalert%281%29%3B&submit=Go

When using the link im expecting to see the JavaScript alert, however nothing happens.

How do I make it work? / What am i doing wrong? / What am i supposed to do with this?

Thanks

Phauk
  • 11
  • 3
  • Its unclear from your question if you can see any alert at all or what do you expect to happen. Please rephrase your question to make it clear how can we help you – Purefan Feb 23 '17 at 13:21
  • It would be nice to see the rest you are getting. However, I'd suggest to check the following: Do you need need the Referer-Header? Is your sid correct? Simply using any sid (or the one used by OWASP) might make phpbb drop your requests or process them in a different way. – FMaz Feb 23 '17 at 13:42
  • 1
    Probably, the xss sandbox implemented by the browsers is stopping it. It helps, but is not the browsers duty to protect, you should do you work also in your side. – jmingov Feb 23 '17 at 14:24
  • Check for the X-XSS-Protection header. As jmingov noted, many browsers will at least make an attempt to stop reflected XSS when the X-XSS-Protection header is present in the page. The easiest way is to use nikto to scan the site. It will tell if the X-XSS-Protection is missing; if it doesn't say anything about it, then it is present. – B00TK1D Mar 21 '17 at 14:20

2 Answers2

1

I believe you are referring to this vulnerability: https://www.cvedetails.com/cve/CVE-2004-0339/

If we look at the details of the advisory, we see that the payload is slightly more complicated than the way you're trying to exploit it:

http://marc.info/?l=bugtraq&m=107799508130700&w=2

In this advisory, the (URL encoded) payload is:

'"><script>alert(document.cookie)</script><'

This is because the payload will be pasted inside of href="[your payload here]" in an a-tag. So if you try to inject javascript:alert(1), it will result in href="javascript:alert(1)". Maybe if you click on the link you will see the pop-up box. However, you can also break out of the href like in the example from the advisory, executing code the moment someone visits the page.

Do note that you need to use a browser that doesn't automatically reject xss, like Nipun suggested.

Beurtschipper
  • 693
  • 4
  • 10
0

First,

  1. use firefox if not using already

  2. when you receive the response, browse through the source code to find if the javascript 'XSS' string is present in the response ex-javascript:alert%28XSS%29%3B&submit=Go

  3. Make sure there are no escape characters present in the response

  4. Make sure if the parameter is actually vulnerable

  5. Make use of alert(0) payload and check if this works or if any of its characters are being escaped

Nipun Jaswal
  • 134
  • 5