BigLots app for iOS: XSS error from searches for plaintext

 iOS 16.6

BigLots app for iOS

Date: 08/23/23

Description:

The BigLots app for iOS as a problem with self-directed XSS. Entering the term "<plaintext>" in the search box inside of the BigLots app results in an error.

Steps to Reproduce:

1. Download and launch the BigLots app for iOS

2. Click inside the input box that says, "Search BigLots.com"

3. Enter in "<plaintext>" as a search term

4. Click on "Search" 

Result: The BigLots iOS app displays an error message if "<plaintext>" is entered as a search term - there is a problem with self-directed XSS

Expected: The BigLots iOS app should not display HTML text from a "<plaintext>" search 

Click inside the search input box and enter in "<plaintext>"

Enter in "<plaintext>"

HTML error from a self-directed XSS command. 

Merlin Bird ID app for iOS: XSS error from plaintext entry in Forgot Username/Password input boxes

iOS 13.4.1
Merlin Bird ID by Cornell Lab (version 1.7.3)
Date: 05/19/20

Description:

There is a cross-site scripting problem with the Merlin Bird ID app from Cornell Lab.

The app has a "Forgot username?" and a "Forgot password?" option at a sign-in screen. There is an XSS error if the user enters in <plaintext> into these input boxes:

Enter in plaintext into either the "Forgot username" or "Forgot password" input boxes...

HTML gets barfed up.

Steps to Reproduce:

1. Download the Merlin Bird ID app for iOS
2. Select "Sign in" from the side bar menu
3. Select either "Forgot Username" or "Forgot Password"
4. Enter in <plaintext>

Result: An XSS error appears after the user enters <plaintext> into either the Forgot Password or Forgot Username input boxes

Expected: No XSS errors!

Slickdeals app for iOS: XSS: Error if you try to change username to plaintext

iOS 13.3.1
Slickdeals: Save with Coupons app for iOS (version 5.14.1)
Date: 03/24/20

Description:

The Slickdeals: Save with Coupons app (version 5.14.1) for iOS has a minor XSS problem.

The app has "Request Username" option. If the user enters in the standard XSS term of "<plaintext>"..

The app displays an error message that indicates that there are additional XSS errors to be found...

Steps to Reproduce:

1. Download and launch the Slickdeals: Save with Coupons app for iOS
2. Select profile
3. Sign Up with either a Google or Facebook account
4. Select "Edit Username" from the pop-up
5. From the "Change Username" screen, enter in <plaintext>
6. Click on "Request Username"
7. Note "</p></div><footer><button class =" appears
8. Start looking for other XSS problems

Result: Entering in the standard XSS test term of "<plaintext>" in the "Request Username" area of the app results in an error indicative of an XSS failure

Expected: The Slickdeals app should handled the entry of "<plaintext>" gracefully - shouldn't display an error message that would encourage additional searches for XSS problems

Win-Kel app for iOS: XSS: Account name of "plaintext" breaks the Rental Agreement

Win-Kel Storage app for iOS (version 4.6.2)
Date: 06/17/2019

Description:

If you create an account using "<plaintext>" as your first and last names, this will result in the Legal Text on the EULA breaking.

Here is a screenshot of the Rental Agreement Legal Page, using a regular name of "Roger William":

The page looks normal, as you can see.

Let's take a look at what happens when you changer your first and last name to "<plaintext>"

Change your first and last name to "<plaintext>"...

The first and last names have been changed to "<plaintext>" - now go back and look at the rental agreement...

As you can see, this page cannot handle "<plaintext>" being inserted.

Steps to Reproduce:

1. Download the Win-Kel app for iOS
2. Create an account with the first and last name of "<plaintext>"
3. Look at the Rental Agreement

Result: Using "<plaintext>" as a first and last name for a Win-Kel account breaks the HTML on the Rental Agreement page

Expected: The "<>" characters should probably be restricted in the first and last name fields of the app

Bartels Giant Burger App for iOS - vulnerable to self directed Cross Site Scripting error

Bartels Giant Burger app for iOS
Date: 1/22/2019

Description:

The Bartels Giant Burger app is vulnerable to a self directed, cross site scripting error. This occurs after the user enters in a term like "<plaintext>" into the location search box.

I would assume that a number of other XSS errors can be triggered in this box.

This is easier to show than it is to describe, so please see the attached video:

.⁦@BartelsGiant⁩ There is a minor #XSS error with your iOS app#XSS #XSSiOSapp pic.twitter.com/R4apHmD386

— iPad Mini Bugs (@iPad_App_Bugs) January 22, 2019

Steps to Reproduce:
1. Download the Bartels Giant Burger app
2. Launch the app
3. Select "Locations" from the sidebar
4. From the "Find Your Store" screen, click inside the "Zip or City, State" input box
5. Enter in "<plaintext>" and run a search

Result: A search of "<plaintext>" in the "Find Your Store" location box of the Bartels Giant Burger app results in an XSS error

Expected: A search of "<plaintext>" in the "Find Your Store" location box in the Bartles Giant Burger app should not result in an XSS error

Victoria's Secret app: XSS: A plaintext search results in a cross site scripting error

Victoria's Secret app for iOS (version 5.4.2)
Date: 10/18/2018

Description:

The most common self-reflecting XSS bug is active with the Victoria's App for iOS.

If the user searches for "<plaintext>" in the search box, the app barfs up HTML.

Easier to show than to describe, so please see the attached screenshots.

Steps to Reproduce:

1. Download and launch the Victoria's Secret app for iOS (version 5.4.2)
2. Click on "SHOP"
3. Click inside the magnifying glass to search
4. Enter in <plaintext> as a search term
5. Run a search

Result: There is an cross site scripting error if the user runs a search for "<plaintext>"

Expected: There should not be a cross site scripting error if the user runs a search for "<plaintext>"

Launch the app, then click on "SHOP"...

Click on the magnifying glass...

Run a search in this search box...

Enter in <plaintext> as a search term...

Barfs HTML.