Report title:Storage Cross-Site Scripting XSS
Endpoint:https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/update/52
Vulnerable Parameter:profile_description
Payload:https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875
正文
l have discovered a Storage XSS vulnerability affecting the endpoint '/profile/update/*' in the parameter 'profile_description'. The payloed requires no filter bypass and is a simple, '<svg/onload=alert(0)>'
You can see a working proof of concept here:
https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875
To reproduce:
1.After logging in, go to edit profile,Fill in the payload in the Description text box
2.Access My profile using any browser
3.Visit My profile accessible to everyone https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875
4.You will observe xss executes
Payload used: <svg/onload=alert(1)>.No filtering at all.
Vulnerable parameter: profile_description
Endpoint/URL: https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875
lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.