[Cross Site Scripting] - 1 min
Cross Site Scripting on Login Page
Hello Guys, this is my third time to write a blog and I want to say sorry ahead for my bad english
I was long ago when I found this bug which was recognized last year and eventually the reason why I got CVE. It’s a quiet tuesday morning, during my first day being an OJT. My mentor told me that my first task is to install Frappe/ERPNext. I just finished installing the framework and waiting for my next task, I got bored and just lurking around until I stumbled on login page. It is my pioneering days of learning bug bounty and the first thing I learned is XSS so I wondered, If I inject script tag to login fields will there be a pop up ?, so I quickly fired a basic xss script tag and luckily I got a pop up. I determined that all fields are vulnerable to xss.
Proof of Concept
- Install Frappe o n your local machine.
- Run it, usually it runs on http://localhost:8000
- Insert basic xss script to login fields.
- Enter and the XSS will pop up.
- All fields are vulnerable to XSS.
Title of Report: Cross Site Scripting on Login Page Frappe
Date of Report: 28 November 2017 18:24:04 UTC
Date of Resolved: 27 December 2017 22:35:44 UTC
Bounty Paid: $0
Hall of Fame: ERPnext Security Bulletin
I hope you enjoy this write up and always remember:
Always learn the fundamentals!