Skip to content

[BUG] False positive XSS #745

Description

@stdex

Describe the bug
In blackbox test mode success submitting a form is incorrectly interpreted as a vulnerability.

In report this explained as:

The X form on the homepage (POST X) accepts and stores raw HTML/JavaScript payloads in multiple fields (x, y) without any input sanitization or output encoding. When a store manager or admin views the submitted request in the admin panel, the stored XSS payload executes in their browser context. 

The vulnerability was confirmed by successfully submitting a request with `<img src=x onerror=alert(...)>` payloads in the `x` and `y` fields. The server responded with HTTP 200 and a success message: "Z" (Request sent).

Tools could report only if vulnerability is confirmed (page with XSS available).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions