HTML Injection/XSS Question

tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
edited June 2020 in Pentesting
I'm attempting to inject code into a form (scripts, etc.) to test for XSS and others. I've tried dozens of things including the usual <script>alert("XSS);</script>. The only things that have worked are:
  • <h1>test</h1>
  • <font color="red">test</font>
  • Unicode HTML Encoding (I can replace letters, but characters, such as <, are filtered out.)
They give the expected results -- formatted text. And when I exit the application and log back in, the code is still there, and it still executes. But that's all.

Could a more advanced tester go further, or does it appear that I've taken it as far as it can be taken? If this is it, is it worth reporting?

Thanks!

Comments

  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Its worth reporting. It is a stored XSS vulnerability right? Is it within the context of a logged in user? Have you tested if you can grab cookies (granted that "HTTP only" flag is off)? 
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    Thank you for the response! Yes, it is stored. I have several sets of test credentials, so I've tried it multiple times. Yes to the cookies and yes to the HTTP only flag. It's been an uphill battle getting them to secure their cookies.

    I was just concerned that it might not be a thing because all I could do is format text. It makes sense that any kind of database manipulation, no matter how small, is a vulnerability that needs fixing. A little input validation should do the trick.

    I also asked a friend about this, and he said: "If it is injecting data into the database, I would consider it a vulnerability. It could possibly corrupt the database, fill up the database, or cause a DoS."

  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Totally agreed 100% :) good find by the way!
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    Thanks! I really appreciate your help.
Sign In or Register to comment.