Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross Site Scripting Allows to hijack the sessions #163

Closed
madhuakula opened this issue Jun 30, 2014 · 1 comment

Comments

Projects
None yet
2 participants
@madhuakula
Copy link

commented Jun 30, 2014

Summary : Stored Cross Site Scripting Vulnerability leads to hijack the users sessions

Description :

About Vulnerability :

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Impact :

Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

For more reference :

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Steps to Reproduce : (POC)

Login as any user and add a document.

When you are adding a document. Give the name

"><img src=x onerror=prompt(document.domain)>.png

then upload it.

Done

madhuakula_opendoc

Mitigation :

Don't trust any user input and use proper sanitation

for more reference : https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Madhu Akula
Information Security Researcher

@stephenlawrence stephenlawrence modified the milestones: 1.2.8, 1.2.7.3 Jul 2, 2014

@madhuakula

This comment has been minimized.

Copy link
Author

commented Sep 6, 2015

@opendocman opendocman locked and limited conversation to collaborators Sep 7, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.