Summary by Polyxena
Stored Cross-Site Scripting (XSS) in Blog Title Field - /globe-community/blogs/community-blogs
Stored Cross-Site Scripting (XSS) in Blog Title Field - /globe-community/blogs/community-blogs
Disclosed by Polyxena- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date about 2 years ago
- Priority P2 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
https://globe.gov/ -
Target category
Web App
-
VRT
Cross-Site Scripting (XSS) > Stored > Non-Privileged User to Anyone -
Priority
P2 -
Bug URL
https://www.globe.gov/globe-community/blogs/community-blogs -
Description
Stored Cross-Site Scripting (XSS) in Blog Title Field - /globe-community/blogs/community-blogs
Overview of the Vulnerability
Stored Cross-Site Scripting (XSS) is a severe security flaw that allows attackers to inject malicious scripts into web pages viewed by other users. This type of XSS is particularly dangerous because the injected script is saved by the server and then displayed to users, making it persistent across sessions. In the context of the Members section within community groups, a Stored XSS vulnerability was discovered. This flaw enables the attacker to execute arbitrary JavaScript code in the context of the victim's browser session when viewing the affected page.
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the
titlefield of the blog creation interface onglobe.gov. Specifically, when creating a new blog post, malicious scripts inserted into the title field were executed on the pageglobe.gov/globe-community/blogs/community-blogs. Upon identifying and verifying the vulnerability, immediate action was taken to remove the compromised blog post to maintain a positive user experience and prevent any adverse effects on visitors to the site.Business Impact
The impact of a Stored XSS vulnerability extends beyond simple defacement of web pages:
Compromise of User Sessions: The most immediate risk is the potential for session hijacking. Attackers can use XSS to steal session cookies, allowing them to impersonate victims and gain unauthorized access to their accounts.
Access to Sensitive Information: By executing malicious scripts, attackers can capture keystrokes, access browser history, and retrieve sensitive information displayed on the web page.
Spread of Malware: XSS can serve as a delivery mechanism for malware, including spyware, ransomware, and worms. Users visiting the compromised web page may unknowingly download malicious software.
Phishing Attacks: Attackers can use XSS to redirect users to phishing sites or display fake login prompts, tricking users into divulging their credentials.
Erosion of Trust: The presence of XSS vulnerabilities undermines user trust in the affected platform. Users may hesitate to engage with the community or enter personal information, impacting the platform's reputation and user engagement.
Considering these potential impacts, it's crucial to address Stored XSS vulnerabilities promptly to protect both users and the integrity of the platform.
Steps to Reproduce
- Log into your account on
globe.gov. - Navigate to your personal blog page, which can be found at
globe.gov/web/{{your profile name}}/home/blog. - Click on the
New Entrybutton to create a new blog post. - In the title field, insert the XSS payload:
<svg/onload=prompt(document.domain)>. - Populate the SubTitle and Content fields with any desired information.
- Visit
https://www.globe.gov/globe-community/blogs/community-blogsto view the community blogs. - Observe the execution of the script.
Please ensure to delete your blog post after testing to prevent impacting the user experience negatively.
Proof of Concept (PoC)
Kindly watch the proof of concept video attached in this report.
Proof%20Of%20Concept.mp4