Slack Stored XSS(Cross Site Scripting)
From a very long, I didn't`t write any blog post. :(
Well, Today we are going to see a Vulnerability in Slack Of Stored XSS(Cross Site Scripting) :)
One of the Slack URI - https://api.slack.com/apps/[appid]/general is not handling the user input properly, In a "name" parameter.
The input is getting reflected into the page without being properly sanitised or filtered, As a result it was possible for an attacker to Triager a Stored XSS Attack.
Interesting thing is that, This vulnerability can be exploited on other team and his member, As per this behaviour Slack Awarded $1000 for this vulnerability.
Full report can be found on hackerone - https://hackerone.com/reports/159460
Thanks, Max Feldman for such fast response on my all reports.
POC is mention below.
Comments are always, Welcome.