loading...
Cover image for Acknowledgement From Inflectra

Acknowledgement From Inflectra

muhaddimu profile image Muhaddis ・2 min read

As Cross-Site Scripting is one of my most loved imperfections I frequently test in web application and the greater part of the circumstances I got my outcome. Same issue I have recently found in Inflectra with the assistance of one of my companions.

Most of the time Cross-Site Scripting vulnerabilities exist in Forms, Search Results, Support and Forms fields. I have likewise established the Stored XSS in the Support Help Center of Inflectra.

Vulnerable Url: https://www.inflectra.com/Support/Forum/List.aspx

User Agent: Mozilla / Chrome / Safari / Android

Bug Type: Stored XSS (Cross-Site Scripting)

Fix: Modify your input validation.

Date: 6th Feb - 17

Current Status: Patched

Steps To Produce:

  1. Goto https://www.inflectra.com/Support/Forums.aspx
  2. In the Forms, field selects any Category and after that select any problem/question.
  3. Click on the Reply Button on that question and here select Insert Table option.
  4. Insert XSS (Cross-Site Scripting) Payload in every single table field as appeared in the picture. Then click Insert Table. Payload "><img src=# onerror=alert('XSS') /> You'll see the popup executes and the page is powerless against XSS.

Alt Text

At that point as I Inserted Table the code is executed and a popup shows up.

Alt Text

As I got the outcomes I reported this Security blemish to them they answered me in five working days and began attempting to resolve this issue.

They settled this issue in fifteen days and offered me to mention my name in their web site security Hall of Fame page.

I accepted their offer and in five more days I was on their Hall of Fame page.

Alt Text

Much Obliged for taking your valuable time. Much Obliged Inflectra for acknowledgement. (:

Posted on by:

muhaddimu profile

Muhaddis

@muhaddimu

Muhaddis is a Web Developer & Security Researcher who acknowledged by top companies including DEV for helping them finding security flaws in their products. He's also interested in cloud technology ✨

Discussion

markdown guide