Skip to content

[SEC-009] Injection - XSS Vulnerability In Album

Description

Fields in the album that are string and can be inputted by the user are not sanitized. This means XSS is possible. For example, if user make title for the album like this:

Indonesia Raya Remix Koplo <img src="a" onerror="alert('Jebol Cuy')" />

It will be saved in plaintext and whenever the data of the album title is requested, like in homepage or detail, the tag will be treated as HTML entity. Since image 'a' is not found, the onerror script will be running. In the grander scheme, hacker can use this to stole cookies. Just enter the script to send cookie to hacker website in onerror field.

Severity

This bug has severity CRITICAL since the hacker can stole admin cookie.

Affected URL

Any URl that can show individual song data like:

  • /
  • /album/:id, with id is id of the album with the payload, including /album/:id/edit
  • /search whenever album which contain payload is shown

Attachment

Input Alert#1 Alert#2 Alert#3