Summary by Statuspage
Stored XSS Vulnerability in Statuspage
- Engagement Statuspage
- Disclosed date over 1 year ago
- Points 5
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by PuneetLucknowi
Please share full details it would be helpful for development team to understand the issue.
Report details
-
Submitted
-
Target Location
*.statuspage.io -
Target category
Web App
-
VRT
Cross-Site Scripting (XSS) > Stored -
Priority
P5 -
Bug URL
https://jokery.statuspage.io/incidents/r033ggcvdnvt?utm_source=manage -
Description
Title:
Application is vulnerable to stored XSS .
Vulnerability reproduction steps
User can create web application & utilize HTML embedding to create site, however with html which is acceptable but eval() JavaScript dangerous functions also allowed as input.
An attacker could create some site application with injected malicious eval() function & utilize beef exploitation kind of tool to run malicious JavaScript payload into victim's browser & can craft various exploitation.
Creating a single page with JavaScript eval() function to include malicious JavaScript such as hook.js & advertise the page as this page reflects primary domain/FQDN as *.statuspage.io so victim easily trust this page & in that way on viewing the page in which JavaScript malicious reference included through JavaScript eval() could serve malicious payload to victim & successfully craft various XSS based attack through BEEF exploitation framework tool detailed example with Beef Framework exploitation referenced below :
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
https://zsecurity.org/how-to-use-beef-framework-over-wan/
https://www.kali.org/tools/beef-xss/So advertising a single page could lead to exploitation of multiple users/victims.
Remediation:
Please refer below link for remediation:
https://portswigger.net/web-security/cross-site-scripting/preventing
Steps:
Injected XSS script eval() function returned in response:
xss payload executed & various data captured in xsshunter framework cookie, ip address of victim etc.
Recommendation: It is recommended to block execuition of eval() dangerous functions also.
Activity
- Atlassian_KL Customer published the disclosure report
- PuneetLucknowi sent a message
- jeremy_bugcrowd sent a message
- Atlassian_MJ Customer resolved a blocker for Bugcrowd Operations by responding to comments
- jeremy_bugcrowd created a blocker on Atlassian to respond to comments
- PuneetLucknowi sent a message
- PuneetLucknowi sent a message
- PuneetLucknowi sent a message
- PuneetLucknowi sent a message
- PuneetLucknowi requested disclosure
- PuneetLucknowi sent a message
- mrhacker_bugcrowd changed the severity to P5
- mrhacker_bugcrowd changed the state to Informational
- mrhacker_bugcrowd rewarded PuneetLucknowi 5 points
- mrhacker_bugcrowd sent a message
- Atlassian_SM Customer resolved a blocker for Bugcrowd Operations by responding to comments
- PuneetLucknowi sent a message
- viper-bugcrowd created a blocker on Atlassian to respond to comments
- PuneetLucknowi resolved a blocker for Atlassian by providing information on reproduction
- PuneetLucknowi sent a message
- robert_bugcrowd created a blocker on the researcher to provide information on reproduction
- robert_bugcrowd sent a message
- PuneetLucknowi sent a message
- PuneetLucknowi created the submission
