ChartBeat

Friday, July 22, 2016

Stored XSS in Zengine

I was working on Zengine's bug bounty program on Cobalt.io back in July 2015. As this was an an old program, most of the low hanging fruits were already reported. I didn't expect to find a XSS when I saw Shashank on top of the list 

Zengine is a cloud-based platform that empowers a non-technical person to quickly build custom business applications, while also allowing developers to extend the application by adding integrations and complex functionality.

It all started with creating a test account on Zengine and writing an XSS payload in new plugin name. After you create a plugin it gets listed on marketplace. I was not sure if I'll find something in the application as data validation protection was intact. After navigating to all pages manually, I was kind of bored and I clicked browse plugins in the marketplace (don't remember exactly how I reached there as I lost the POC video from dropbox). To my surprise I saw a cute little prompt from payload which I wrote earlier in my new plugin. Zengine Security team patched the issue in less than 24 hours.


Zengine rewarded me $1200 for the finding with appreciation.


Timeline:
July 9th, 2015 - Report Sent
July 10th, 2015 - Bug Patched, Bounty Rewarded

Thanks for Reading! Comments and suggestions are welcome.


      

No comments:

Post a Comment