Application is vulnerable to stored XSS

Disclosed by
PuneetLucknowi's avatar
PuneetLucknowi
  • Engagement Statuspage
  • Disclosed date over 1 year ago
  • Points 5
  • Priority P5 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by Statuspage

Stored XSS Vulnerability in Statuspage

Summary by PuneetLucknowi

Please share full details it would be helpful for development team to understand the issue.

Report details
  • Submitted

  • Target Location

    *.statuspage.io
  • Target category

    Web App

  • VRT

    Cross-Site Scripting (XSS) > Stored
  • Priority

    P5
  • Bug URL
    https://jokery.statuspage.io/incidents/r033ggcvdnvt?utm_source=manage
  • Description

    Title:

    Application is vulnerable to stored XSS .

    Vulnerability reproduction steps

    User can create web application & utilize HTML embedding to create site, however with html which is acceptable but eval() JavaScript dangerous functions also allowed as input.

    An attacker could create some site application with injected malicious eval() function & utilize beef exploitation kind of tool to run malicious JavaScript payload into victim's browser & can craft various exploitation.

    Creating a single page with JavaScript eval() function to include malicious JavaScript such as hook.js & advertise the page as this page reflects primary domain/FQDN as *.statuspage.io so victim easily trust this page & in that way on viewing the page in which JavaScript malicious reference included through JavaScript eval() could serve malicious payload to victim & successfully craft various XSS based attack through BEEF exploitation framework tool detailed example with Beef Framework exploitation referenced below :

    https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
    https://zsecurity.org/how-to-use-beef-framework-over-wan/
    https://www.kali.org/tools/beef-xss/

    So advertising a single page could lead to exploitation of multiple users/victims.

    Remediation:

    Please refer below link for remediation:

    https://portswigger.net/web-security/cross-site-scripting/preventing

    Steps:

    1. Injected XSS script eval() function returned in response:
      xsser1.JPG

    2. xss payload executed & various data captured in xsshunter framework cookie, ip address of victim etc.

    xsser2.JPG

    xsser3.JPG

    Recommendation: It is recommended to block execuition of eval() dangerous functions also.

Activity
  1. Atlassian_KL’s avatar
    Atlassian_KL Customer published the disclosure report

    ()

  2. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()Edited

  3. jeremy_bugcrowd’s avatarbugcrowd logo
    jeremy_bugcrowd sent a message

    ()

  4. Atlassian_MJ’s avatar
    Atlassian_MJ Customer resolved a blocker for Bugcrowd Operations by responding to comments

    ()

  5. jeremy_bugcrowd’s avatarbugcrowd logo
    jeremy_bugcrowd created a blocker on Atlassian to respond to comments

    ()

  6. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()

  7. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()

  8. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()Edited

  9. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()Edited

  10. PuneetLucknowi’s avatar
    PuneetLucknowi requested disclosure

    ()

  11. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()Edited

  12. mrhacker_bugcrowd’s avatarbugcrowd logo
    mrhacker_bugcrowd changed the severity to P5

    ()

  13. mrhacker_bugcrowd’s avatarbugcrowd logo
    mrhacker_bugcrowd changed the state to Informational

    ()

  14. mrhacker_bugcrowd’s avatarbugcrowd logo
    mrhacker_bugcrowd rewarded PuneetLucknowi 5 points

    ()

  15. mrhacker_bugcrowd’s avatarbugcrowd logo
    mrhacker_bugcrowd sent a message

    ()

  16. Atlassian_SM’s avatar
    Atlassian_SM Customer resolved a blocker for Bugcrowd Operations by responding to comments

    ()

  17. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()

  18. viper-bugcrowd’s avatarbugcrowd logo
    viper-bugcrowd created a blocker on Atlassian to respond to comments

    ()

  19. PuneetLucknowi’s avatar
    PuneetLucknowi resolved a blocker for Atlassian by providing information on reproduction

    ()

  20. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()Edited

  21. robert_bugcrowd’s avatarbugcrowd logo
    robert_bugcrowd created a blocker on the researcher to provide information on reproduction

    ()

  22. robert_bugcrowd’s avatarbugcrowd logo
    robert_bugcrowd sent a message

    ()

  23. PuneetLucknowi’s avatar
    PuneetLucknowi sent a message

    ()Edited

  24. PuneetLucknowi’s avatar
    PuneetLucknowi created the submission

    ()