Thursday, October 18, 2018

Victoria's Secret app: XSS: A plaintext search results in a cross site scripting error

Victoria's Secret app for iOS (version 5.4.2)
Date: 10/18/2018

Description:

The most common self-reflecting XSS bug is active with the Victoria's App for iOS.

If the user searches for "<plaintext>" in the search box, the app barfs up HTML.

Easier to show than to describe, so please see the attached screenshots.

Steps to Reproduce:

1. Download and launch the Victoria's Secret app for iOS (version 5.4.2)
2. Click on "SHOP"
3. Click inside the magnifying glass to search
4. Enter in <plaintext> as a search term
5. Run a search

Result: There is an cross site scripting error if the user runs a search for "<plaintext>"

Expected: There should not be a cross site scripting error if the user runs a search for "<plaintext>"

Launch the app, then click on "SHOP"...

Click on the magnifying glass...

Run a search in this search box...

Enter in <plaintext> as a search term...

Barfs HTML.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)