Mobile Vikings: Stored XSS in Direct debit name

ID H1:45233
Type hackerone
Reporter 4lemon
Modified 2015-03-04T14:19:37


  1. Make new or edit old Direct debit (for example
  2. Fill owners name with payload asdf'"><script>alert(document.cookie)</script>
  3. Save form. We got Stored XSS in pages: And admin area pages may be affected.

The really interesting thing is if we press link we got this cookie setted: Set-Cookie messages="e052df5f3af892c7a61d74d0d9a6ab14c7f1631c$[[\"__json_message\"\0540\05425\054\"Successfully suspended asdf'\\"><script>alert(document.cookie)</script> <span>BE61310126985517</span>\"]]"; Path=/

So we have a properly signed cookie with XSS payload. And if we found some way to setup it (it may be some xss on subdomain or CRLF issue in some data which used in header) we can use this xss vector too.