[HIGH]Stored XSS chained with IDOR at https://edrn-labcas.jpl.nasa.gov/labcas-ui/s/index.html?search=*

Disclosed by
dextro
Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program

All this does is modify the json within the response. This does not execute XSS attacks

Summary by dextro

The application at https://edrn-labcas.jpl.nasa.gov/labcas-ui/s/index.html?search=* has a Stored XSS vulnerability in the "Saved Searches" feature, escalated by an IDOR flaw. Attackers can inject malicious JavaScript into their profile name and exploit the IDOR to link the payload to another user’s account, leading to XSS execution when the victim logs in.

Steps to Reproduce
Log in and navigate to "Saved Searches."
Intercept the POST request to /ksdb/save_labcas_search_input/.
Modify profile_name to <script>alert(1)</script> and submit.
Change the userid to a victim’s ID and submit again.
The payload executes when the victim logs in.
Business Impact
Privilege Escalation: XSS escalates from self-account to others.
Cross-User XSS: Affects multiple users.
Profile Tampering: Allows unauthorized profile changes.
A video PoC demonstrates the attack, emphasizing the need for input sanitization and proper authorization checks.

Activity