Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Dzzoffice 2.02.1 - Cross-Site Scripting

By kannthu

High
Vidoc logoVidoc Module
#dzzoffice#xss
Description

What is "Dzzoffice 2.02.1 - Cross-Site Scripting?"

The "Dzzoffice 2.02.1 - Cross-Site Scripting" module is designed to detect a cross-site scripting vulnerability in the Dzzoffice software version 2.02.1_SC_UTF8. This vulnerability allows remote attackers to inject arbitrary web script or HTML through the zero parameter. The severity of this vulnerability is classified as high, with a CVSS score of 7.2.

This module was authored by arafatansari.

Impact

If exploited, this cross-site scripting vulnerability in Dzzoffice 2.02.1_SC_UTF8 can lead to the execution of malicious scripts or the injection of harmful HTML code. This can result in various security risks, including unauthorized access, data theft, and potential compromise of user accounts or sensitive information.

How does the module work?

The "Dzzoffice 2.02.1 - Cross-Site Scripting" module works by sending a specific HTTP request to the target system. The request is designed to exploit the vulnerability by injecting a malicious script or HTML code through the zero parameter. The module then checks for specific conditions in the response to determine if the vulnerability is present.

Here is an example of the HTTP request sent by the module:

POST /index.php?mod=system&op=orgtree&do=orgtree HTTP/1
Host: {%Hostname%}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

id=%23&nouser=0&moderator=0&zero=<img+src=x+onerror=alert(document.domain)>&stype=0&range=0&showjob=0

The module then applies the following matching conditions to determine if the vulnerability is present:

- The response contains the text "<img src=x onerror=alert(document.domain)>". - The response header contains the text "text/html". - The response status code is 200.

If all of these conditions are met, the module identifies the presence of the cross-site scripting vulnerability in the Dzzoffice software.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: "text":"<img src=x onerror=alert(documen...and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability