[Cross Site Scripting]
Cross Site Scripting on Login Page

- 1 min


Hello Guys, this is my third time to write a blog and I want to say sorry ahead for my bad english :sweat_smile:

I was long ago when I found this bug which was recognized last year and eventually the reason why I got CVE. It’s a quiet tuesday morning, during my first day being an OJT. My mentor told me that my first task is to install Frappe/ERPNext. I just finished installing the framework and waiting for my next task, I got bored and just lurking around until I stumbled on login page. It is my pioneering days of learning bug bounty and the first thing I learned is XSS so I wondered, If I inject script tag to login fields will there be a pop up ?, so I quickly fired a basic xss script tag and luckily I got a pop up. I determined that all fields are vulnerable to xss.

Kent Bayron

Proof of Concept

  1. Install Frappe o n your local machine.
  2. Run it, usually it runs on http://localhost:8000
  3. Insert basic xss script to login fields.
  4. Enter and the XSS will pop up.
  5. All fields are vulnerable to XSS.

Kent Bayron


Title of Report: Cross Site Scripting on Login Page Frappe
Date of Report: 28 November 2017 18:24:04 UTC
Date of Resolved: 27 December 2017 22:35:44 UTC
Bounty Paid: $0
Hall of Fame: ERPnext Security Bulletin

I hope you enjoy this write up and always remember:
Always learn the fundamentals!

Kent Bayron

Kent Bayron

Hacking | Travel | Gratitude

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora