Wednesday 23 November 2016

Slack Stored XSS(Cross Site Scripting)

Slack Stored XSS(Cross Site Scripting)


Hello Guys,

From a very long, I didn't`t write any blog post. :(

Well, Today we are going to see a Vulnerability in Slack Of Stored XSS(Cross Site Scripting) :)

One of the Slack URI - https://api.slack.com/apps/[appid]/general is not handling the user input properly, In a "name" parameter.

The input is getting reflected into the page without being properly sanitised or filtered, As a result it was possible for an attacker to Triager a Stored XSS Attack.

Interesting thing is that, This vulnerability can be exploited on other team and his member, As per this behaviour Slack Awarded $1000 for this vulnerability.