by Anshuman    May 31, 2019

This is the demonstration of Stored Cross-Site Scripting attack in SQLiteManager & User-Agent header and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:- http://www.itsecgames.com/

How to perform Stored Cross-Site-Scripting attack in SQLiteManager?

Now please choose Cross-site-Scripting — Stored (SQLiteManager) from the drop-down menu and click Hack.

As you can see from the above screenshot it shows the message that "The SQLiteManager version is vulnerable to Cross-Site Scripting!".

And in the hint, the CVE no is mentioned. — (CVE-2012–5105), so let’s search this no to get more information about this vulnerability.

As per the CVE report, it shows that in SQLiteManager 1.2.4 version there was an XSS vulnerability found and which allow remote attackers to inject arbitrary web script to the DB shell parameter in main.php and index.php files.

To get the complete report of this vulnerability please visit this link:- 36510

Exploit DB report to this vulnerabilty

SQLiteManager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SQLiteManager 1.2.4 is vulnerable; other versions may also be affected.

But as per their report, I don’t think this vulnerability exists as it is very old.

So for every application always use an updated version and also follow their forums so that you can get in touch with their developer’s community to get the latest updates.

SQLiteManager Developer Communities

1.DB Browser for SQLite

2.SQLiteBrowser Twitter

3.SQLiteBrowser Github

How to perform Stored Cross-Site-Scripting attack in User-Agent Header?

Now please choose Cross-site-Scripting — Stored (User-Agent) from the drop-down menu and click Hack.

As you can see from the above screenshot it’s able to identify my browser version, operating system and some other details and these details stored in the database.

So now let’s intercept the request using Burp Suite so that you can inject JavaScript payload to the User-Agent header.

Now go back again and choose the same option Cross-site-Scripting — Stored (User-Agent) from the drop-down menu and click Hack.

If you go back to the Burp Suite and follow the same steps which we follow in the reflected module then you can able to see the intercept request of "xss_stored_4.php" file.

Now let’s inject the payload to the "User-Agent" header.

<script>alert(1)</script>

Now if you go back to the browser then you could able to see the alert dialog box.

As you can see from the above screenshot we are able to inject the JavaScript code to the "User-Agent" header.

And also this payload gets stored in the database, if you go to the "phpMyAdmin" and check the "visitors" table then you could see that the payload also gets stored in the database.

As the payload stored in the database if you go back and come again then also the payload will be executed.

How do we prevent this attack?

1.User input needs to be encoded in the HTTP header and developer can implement filters which will eliminate any scripting tags.

2.And in some cases, X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks as it’s an add-on to the browsers to sanitize HTML responses.

I hope you guys like this post-bye bye for now.

Happy Hacking :)

BUG BOUNTY