Slack: Stored XSS(Cross Site Scripting) In Slack App Name

ID H1:159460
Type hackerone
Reporter imnarendrabhati
Modified 2016-11-22T22:04:56


Hello Slack,

This vulnerability is about a Stored Cross Site Scripting

Slack Stored XSS In App(App Name)

Vulnerable URL(Edit App Page)[appid]/general

Vulnerable Parameter = name

Note -Its also work on other user as well.

Send this link to victim


Reproduction Steps POC Video - Screen shot is also attached.

1) Go to app edit page[appid]/general 2) In app name parameter enter the following payload "/><script>alert(/Bhati/)</script> 3) Now open the app page in any other tab 4) You will get a Alert Box 5) We can also send this same link to other user(victim).

Thanks, Narendra