The following example shows how to create a XSS payload by injecting javascript into the user id field of a user.
When making changes to the settings of a Zinc user, it is recommended to use the “edit” rather than the “delete” functionality. This will prevent XSS attacks and ensure your application is secure. Zinc versions prior to v0.4.0 do not have a whitelist of user ids and will allow the deletion of any user, regardless of XSS payload.
POC: https://codereview.stgit.com/113712 This issue can be reproduced by deleting any user of your application.
The following example shows how to create a XSS payload by injecting javascript into the user id field of a user.When making changes to the settings of a Zinc user, it is recommended to use the “edit” rather than the “delete” functionality. This will prevent XSS attacks and ensure your application is secure. Zinc versions prior to v0.4.0 do not have a whitelist of user ids and will allow the deletion of any user, regardless of XSS payload.POC: https://codereview.stgit.com/113712 This issue can be reproduced by deleting any user of your application.
Zinc User Management API
Users of the application can change their username, which has been requested to be changed by the user. The difference between this and other HTTP requests is that the payload is sent to a callback URL, which we will be sending the XSS payload to.
POC: https://codereview.stgit.com/112912
Discovery & Vulnerability Scoring
Discovery & Vulnerability Scoring (Docvation) is an open source security tool that offers automated, continuous scanning of web applications for vulnerabilities with a focus on hidden attacks. Docvation is currently used by over 8500 organizations worldwide to secure their applications from XSS, SQL injection, and other types of attacks.
User management
POC: https://codereview.stgit.com/113712
User management is one of the most important aspects of your Zinc application. For example, when a user is deleted, you should ensure that their data is not also deleted from your database and that any necessary system changes are made.
The following example shows how to create a XSS payload by injecting javascript into the user id field of a user.When making changes to the settings of a Zinc user, it is recommended to use the “edit” rather than the “delete” functionality. This will prevent XSS attacks and ensure your application is secure. Zinc versions prior to v0.4.0 do not have a whitelist of user ids and will allow the deletion of any user, regardless of XSS payload.POC: https://codereview.stgit.com/113712 User management is one of the most important aspects of your Zinc application. For example, when a user is deleted, you should ensure that their data is not also deleted from your database and that any necessary system changes are made.
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/06/2022 18:44:00 UTC