Summary
Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting')
Details
VULNERABILITY: STORED XSS
PAYLOADS USED:
<iframe %00 src=" javascript:prompt(1) "%00>
<iframe src=javascript:alert(document.location)>
<iframe %00 src=" javascript:prompt(1) "%00>
Affected url:
https://www.{username}.leantime.io/goalcanvas/showCanvas
PoC
STEPS TO REPRODUCE THE BUG:
- VISIT: https://www.{username}.leantime.io/dashboard/
- Visit the goals tab from your dashboard.
- Create new goal.
- Now paste the payload under title and How will you measure success? Which metric will you be using? fields respectively.
- Now save and close , you can see the payload executing
- Now go to the discussion section of your goal which you created now.
- Paste any one of the payload and save.
- Now each time you visit the goals tab you can see the payload executing.
Impact
n terms of exploitability, the key difference between reflected and stored XSS is that a stored XSS vulnerability enables attacks that are self-contained within the application itself. The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.
The self-contained nature of stored cross-site scripting exploits is particularly relevant in situations where an XSS vulnerability only affects users who are currently logged in to the application. If the XSS is reflected, then the attack must be fortuitously timed: a user who is induced to make the attacker's request at a time when they are not logged in will not be compromised. In contrast, if the XSS is stored, then the user is guaranteed to be logged in at the time they encounter the exploit.
I have attached Video Proof of concept . Thank you
POC-LINK: https://sendspark.com/share/6awthphyzm53hyiu
AnirudhTheCyberGod Reporter
Summary
Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting')
Details
VULNERABILITY: STORED XSS
<iframe %00 src=" javascript:prompt(1) "%00> <iframe src=javascript:alert(document.location)> <iframe %00 src=" javascript:prompt(1) "%00>PAYLOADS USED:
Affected url:
https://www.{username}.leantime.io/goalcanvas/showCanvas
PoC
STEPS TO REPRODUCE THE BUG:
Impact
n terms of exploitability, the key difference between reflected and stored XSS is that a stored XSS vulnerability enables attacks that are self-contained within the application itself. The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.
The self-contained nature of stored cross-site scripting exploits is particularly relevant in situations where an XSS vulnerability only affects users who are currently logged in to the application. If the XSS is reflected, then the attack must be fortuitously timed: a user who is induced to make the attacker's request at a time when they are not logged in will not be compromised. In contrast, if the XSS is stored, then the user is guaranteed to be logged in at the time they encounter the exploit.
I have attached Video Proof of concept . Thank you
POC-LINK: https://sendspark.com/share/6awthphyzm53hyiu