Stored XSS in Kaskus
What is Cross-site Scripting (XSS)
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks allow attackers to inject client-side scripts into web pages viewed by other users.
Cross-site scripting vulnerabilities could be used by attackers to bypass access controls such as the same origin policy. Cross site scripting is also included in the list of Top 10 OWASP (Open Web Application Security Project) vulnerabilities. Read more : Cross Site Scripting (XSS)
What is Kaskus?
Kaskus is an Indonesian internet forum and community platform that allows users to engage in discussions, share information, and connect with others. It was launched in 1999 and has since become one of the largest online communities in Indonesia. Kaskus covers various topics such as technology, lifestyle, entertainment, and more. Users can create threads, participate in discussions, and interact with fellow members. Kaskus also features a marketplace where users can buy and sell various products. Overall, Kaskus serves as a popular hub for Indonesian internet users to gather, communicate, and share their interests and experiences.
Steps to reproduce
- Create a thread.
- In the thread title, insert the payload: ' - alert(1) - '
- Delete the thread, and the XSS will work perfectly.
Proof of Concept
Timeline
30 Juny 2023 : Report to Kaskus
04 July 2023 : Kaskus responds my reports
05 July 2023 : Report declared valid
11 July 2023 : Hall of Fame (Satya Aji Firmansyah)