[WT-4635] [Security Test] {XSS} In employee self serve mode, Change Password page shows server error when any script is provided as input to Secret Question's answer field. - Workterra Jira

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: High
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
- Security

Environment:

Production
Bug Severity:
Medium
Module:
BenAdmin - Security
Reported by:
Harbinger

Description

[Security Test] In employee self serve mode, Change Password page shows server error when any script is provided as input to Secret Question's answer field.

Test Environment:
1. Login as Employee and traverse employee self serve mode
2. Goto Change Password Page
3. Enter following scripts in Answers of Security questions.

Scripts used for testing are:
<script>alert("Attacked")</script>
"><script>alert("xss");</script>
"><script>">'><script>alert(String.fromcharcode(88,83,83))</script>
"><img src=x onerror=alert("XSS");</script>

Malicious user can enter any scripts through application to generate Server Errors.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

ScriptErroratChngPwdPage_SSM.jpg
99 kB
07/Sep/16 12:54 PM
ScriptErroratChngPwdPage_SSM_ZAP.jpg
214 kB
07/Sep/16 12:54 PM

Activity

People

Assignee:: Samir

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Sep/16 12:54 PM

Updated:: 15/Dec/20 02:53 AM