SaajanbhujelH1:1804177Stripe: Possible XSS vulnerability without a content security bypass
Summary:
Hi security team members,
Hope you are well and doing great :)
I found a Possible XSS vulnerability in https://dashboard.stripe.com but I was not able to bypass a content security policy.
Although, I donβt have much knowledge about CSP and its bypasses. But, I read that you accept the XSS without a content security bypass. So, Iβm reporting this to you.
> Please note that we do accept and reward submissions for valid cross-site scripting vulnerabilities even if they are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed at a lower severity level than those with a bypass.
Description:
This occurs when you create a custom link with the javascript://%0aalert(1) through a stripe app. And, It gives a CSP refused executing error on clicking the custom link.
Steps To Reproduce:
-
Install this
Custom Linkapp:- https://marketplace.stripe.com/apps/custom-links -
Now, Go to your products and then create a
Custom Linkwith thisjavascript://%0aalert(1)as a link
{F2076228} -
Then, Once you click on the custom link that you just created. It will doesnβt execute because of CSP.
{F2076226} -
You can verify this by opening your
Console.
Video POC:
{F2076227}
Impact
If an attacker is able to bypass CSP then there is a possible XSS vulnerability in https://dashboard.stripe.com,.