Gratipay: Stored XSS On Statement

2015-08-26T00:32:01
ID H1:84740
Type hackerone
Reporter ibram
Modified 2015-09-03T16:00:59

Description

Hello, I've Found a Stored Cross-Site Scripting (XSS) In Gratipay.com .. This XSS is in The Statement, It Happens Because You're Not Sanitizing This From Markdown Malicious Codes.

Steps To Reproduce :

  1. Login To Your Account At Gratipay.com
  2. Go To Your Profile Page .. And Click Edit Statement
  3. Enter Any Of These 2 Payload :
  4. [notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
  5. <javascript:alert(document.cookie)>
  6. Click Save

Now You'll See 2 Links (See Links.png) .. Click On Any Of These 2 Links And The XSS Payload Will Be Triggered :)

Also This is Dangerous Because The Profile's Statement is Public .. So Anyone Visit The Attaker's Profile And Click On This Malicious Link, XSS Will Be Triggered On His Browser.

Take a Look At My Profile On Gratipay : https://gratipay.com/~geekpero/.

Please Let Me Know If You Need Any Information.

References About Markdown XSS: * http://stackoverflow.com/questions/1690601/markdown-and-xss * https://michelf.ca/blog/2010/markdown-and-xss/

Best Regards, Ebram Marzouk