Online Invoicing System 2.6 XSS / Session Hijack

Disclosure date: 01/07/20


Online Invoicing System (OIS) version 2.6 and possibly before are affected by a cross site scripting vulnerability that can be leveraged for session hijacking.  An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account.

Add New Client:

Insert XSS:

Note the script tags are removed from the UI:

But not in the SQL DB:

When viewing the Reports page:

Leveraging the XSS to steal the session cookie:

Again, the script tags are removed:

But we get execution and can retrieve the session cookie:

We access the site from an unauthenticated browser:

We inspect the cookie:

We replace the cookie:

We refresh the page and we notice the Admin Area appear:

Session Hijacked: