HTML Injection/XSS Question

tedjamestedjames Scruffy-looking nerfherdrMember Posts: 1,164 ■■■■■■■■□□
edited June 23 in Pentesting
I'm attempting to inject code into a form (scripts, etc.) to test for XSS and others. I've tried dozens of things including the usual <script>alert("XSS);</script>. The only things that have worked are:
  • <h1>test</h1>
  • <font color="red">test</font>
  • Unicode HTML Encoding (I can replace letters, but characters, such as <, are filtered out.)
They give the expected results -- formatted text. And when I exit the application and log back in, the code is still there, and it still executes. But that's all.

Could a more advanced tester go further, or does it appear that I've taken it as far as it can be taken? If this is it, is it worth reporting?

Thanks!

Comments

  • chrisonechrisone Senior Member Member Posts: 2,132 ■■■■■■■■■□
    Its worth reporting. It is a stored XSS vulnerability right? Is it within the context of a logged in user? Have you tested if you can grab cookies (granted that "HTTP only" flag is off)? 
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (in-progress)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eLearnSecurity: eWPT (failed 2x, no further attempts), eLearnSecurity: eCIR (complete), eLearnSecurity: eCTHPv2 (report: awaiting results), eLearnSecurity: eCPTXv2 (Late-Nov)
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,164 ■■■■■■■■□□
    Thank you for the response! Yes, it is stored. I have several sets of test credentials, so I've tried it multiple times. Yes to the cookies and yes to the HTTP only flag. It's been an uphill battle getting them to secure their cookies.

    I was just concerned that it might not be a thing because all I could do is format text. It makes sense that any kind of database manipulation, no matter how small, is a vulnerability that needs fixing. A little input validation should do the trick.

    I also asked a friend about this, and he said: "If it is injecting data into the database, I would consider it a vulnerability. It could possibly corrupt the database, fill up the database, or cause a DoS."

  • chrisonechrisone Senior Member Member Posts: 2,132 ■■■■■■■■■□
    Totally agreed 100% :) good find by the way!
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (in-progress)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eLearnSecurity: eWPT (failed 2x, no further attempts), eLearnSecurity: eCIR (complete), eLearnSecurity: eCTHPv2 (report: awaiting results), eLearnSecurity: eCPTXv2 (Late-Nov)
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,164 ■■■■■■■■□□
    Thanks! I really appreciate your help.
Sign In or Register to comment.