Tuesday, March 24, 2020

Slickdeals app for iOS: XSS: Error if you try to change username to plaintext

iOS 13.3.1
Slickdeals: Save with Coupons app for iOS (version 5.14.1)
Date: 03/24/20

Description:

The Slickdeals: Save with Coupons app (version 5.14.1) for iOS has a minor XSS problem.

The app has "Request Username" option. If the user enters in the standard XSS term of "<plaintext>"..

The app displays an error message that indicates that there are additional XSS errors to be found...



Steps to Reproduce:

1. Download and launch the Slickdeals: Save with Coupons app for iOS
2. Select profile
3. Sign Up with either a Google or Facebook account
4. Select "Edit Username" from the pop-up
5. From the "Change Username" screen, enter in <plaintext>
6. Click on "Request Username"
7. Note "</p></div><footer><button class =" appears
8. Start looking for other XSS problems

Result: Entering in the standard XSS test term of "<plaintext>" in the "Request Username" area of the app results in an error indicative of an XSS failure

Expected: The Slickdeals app should handled the entry of "<plaintext>" gracefully - shouldn't display an error message that would encourage additional searches for XSS problems

No comments:

Post a Comment