Let's start from the beginning:
1) open-redirect bug?
Maybe some 'feature'... but sending POST request to UserSets.aspx with the content presented below
will show you code 302 in Intruder's tab. I was wondering what will happen if I will setup Kali's Apache2 on port 9090 and send txtManagerSite param to that box (for /asd 'resource')...
Response from Burp:
...ok it wasn't Apache ;]
2) persistent XSS - account name - create token
I decided to create some 'Tokens' - results below:
If you're looking for a cool 'Account Name', this one should be good to start:
When I tried different 'payload', I saw something new in the background:
I think our token is created now:
Last hint:
Next.
3) persistent XSS - VfManager.asmx -SeceltAccounts->DisplayName
Sending POST again:
Response:
Don't worry. ;> Let's check some of the 'Groups' - below:
;]
Next.
4) user's groups - ConfigurationPage
When you would like to check (those created) "user's groups" in your ConfigurationPage, you will find:
6) persistent XSS - Adding Group
Response:
...and...
...cookie in prompt(). Same results with prompt(1) (just for a 'better view' ;)):
Enough for now. ;]
Questions/comments?
Cheers,
Cody
o/
so.. how to fix this?
OdpowiedzUsuńHi,
Usuńwell. "Stay up-to-date" like the Vendor said (https;//www, cyberark, com/product-security/)? ;)
Thank you for watching. :)
Cheers