Wednesday, 23 November 2016

Slack Stored XSS(Cross Site Scripting)

Slack Stored XSS(Cross Site Scripting)

Hello Guys,

From a very long, I didn't`t write any blog post. :(

Well, Today we are going to see a Vulnerability in Slack Of Stored XSS(Cross Site Scripting) :)

One of the Slack URI -[appid]/general is not handling the user input properly, In a "name" parameter.

The input is getting reflected into the page without being properly sanitised or filtered, As a result it was possible for an attacker to Triager a Stored XSS Attack.

Interesting thing is that, This vulnerability can be exploited on other team and his member, As per this behaviour Slack Awarded $1000 for this vulnerability.

Full report can be found on hackerone -

Thanks,  Max Feldman for such fast response on my all reports.

POC is mention below.

POC Video 

Comments are always, Welcome.


Featured post

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss, I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deploye...

Popular Posts