HTML Injection/XSS Question

I'm attempting to inject code into a form (scripts, etc.) to test for XSS and others. I've tried dozens of things including the usual <script>alert("XSS);</script>. The only things that have worked are:

<h1>test</h1>
<font color="red">test</font>
Unicode HTML Encoding (I can replace letters, but characters, such as <, are filtered out.)

They give the expected results -- formatted text. And when I exit the application and log back in, the code is still there, and it still executes. But that's all.

Could a more advanced tester go further, or does it appear that I've taken it as far as it can be taken? If this is it, is it worth reporting?

Thanks!

Find more posts tagged with

Comments

chrisone

Its worth reporting. It is a stored XSS vulnerability right? Is it within the context of a logged in user? Have you tested if you can grab cookies (granted that "HTTP only" flag is off)?

tedjames

Thank you for the response! Yes, it is stored. I have several sets of test credentials, so I've tried it multiple times. Yes to the cookies and yes to the HTTP only flag. It's been an uphill battle getting them to secure their cookies.

I was just concerned that it might not be a thing because all I could do is format text. It makes sense that any kind of database manipulation, no matter how small, is a vulnerability that needs fixing. A little input validation should do the trick.

I also asked a friend about this, and he said: "If it is injecting data into the database, I would consider it a vulnerability. It could possibly corrupt the database, fill up the database, or cause a DoS."

chrisone

Totally agreed 100%

good find by the way!

tedjames

Thanks! I really appreciate your help.