Snapforce CRM version 8.3.0 suffers from multiple cross site scripting vulnerabilities.
7cba26c3ea2972fcf97c2e39c9893c15Hello Team,
Greetings. there is list of xss vulnerabilities and Concurrent login
vulnerabilities are in snapforce
<https://crm.snapforce.com/prodigy/login.php?timeout> (version 8.3.0)
application.
*Vulnerability List: *
1. Stored Cross Site Scripting
2. Stored Cross Site Scripting thorough UI Redirection.
3 Concurrent Login are Allowed
*Effected URL: *
https://crm.snapforce.com/prodigy/login.php
*Steps to reproduce:*
1.Login to application using https://crm.snapforce.com/prodigy/login.php
2. Goto the Accounts creation location and create new Account.
3. Fill all required parameters and insert XSS payload in description
location and save it.
4. once you saved the xss payload in description location cross site
scripting payload can execute.
5. application can redirect to attacker application my case i have
redirected to google.com page
6. for more information please see attached file
*Payloads:*
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<script>document.location='https://google.com'</script>
*Mitigation:*
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.owasp.org_index.php_XSS-5F-28Cross-5FSite-5FScripting-29-5FPrevention-5FCheat-5FSheet&d=DwMFaQ&c=0DdzT34RfO2GGahVO5PumQ&r=8BdtPm_N-eOWc3EZEL8jVSXu4k5FAchn6mFgL-Knnhk&m=vCgg57fKEnLqhRpyRjhiXZxSZ258jYrO_CX_VtudPYo&s=zSunO4Eh5lUFVUfM2fblWQ2XLe-woCC3pG3gz4_fb10&e=>
• Output encoding: It is recommended to implement ‘output encoding’ to
convert untrusted input into a safe form where the input is displayed as
data to the user without executing as code in the browser.
Java HTML encoding Function
public static String HTMLEncode(String aTagFragment){
final StringBuffer result = new StringBuffer();
final StringCharacterIterator iterator = new
StringCharacterIterator(aTagFragment);
char character = iterator.current();
while (character != StringCharacterIterator.DONE )
{
if (character == '<') result.append("<");
else if (character == '>') result.append(">");
else if (character == '\"') result.append(""");
else if (character == '\'') result.append("'");
else if (character == '\\') result.append("\");
else if (character == '&') result.append("&");
else {
//the char is not a special one
//add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}
• Escaping: Escape all untrusted data based on the HTML context (body,
attribute, JavaScript, CSS, or URL) that the data will be placed into.
EASPI API
String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input"
) );
• Filtering input parameter: Positive or "whitelist" input validation with
appropriate canonicalization is the recommended filtering technique.
Alternatively, black-list filtering input works by removing some or all
special characters from your input. Special characters are characters that
enable script to be generated within an HTML stream. Special characters
include the following:
<> " ' % ; ) ( & + -
JavaScript Codefunction RemoveBad(strTemp) {
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
return strTemp;
}