search

hakluke / bug-bounty-standards

A list of edge cases that occur in bug bounty programs, conversations on how they should be handled. The goal is to standardise the way that specific situations are handled in bug bounties.
228 stars 10 forks source link

Duping XSS on input rather than output #9

Open foobar7 opened 1 year ago

foobar7 commented 1 year ago

Situation: From time to time, triage will close XSS reports as dupes based on input rather than output (so when eg a name input is echoed in entirely different pages/functionalities, they will close reports as dupes of each other). When appealing, it's sometimes resolved by the platform, sometimes passed onto the program to decide, and sometimes reports are left closed.

Resolution: The platform should correctly triage reports (ideally directly, otherwise on appeal) & dupe XSS on output.

Reasoning: XSS is an output vulnerability, and that's where the issue needs to be resolved. That's also how it's mostly - but not always - handled. Adding a generic input filter or WAF over the input will not properly fix the issue. Among other, already placed payloads will continue to trigger, allowing continued exploitation.

hakluke commented 1 year ago

Agreed: the XSS vulnerability occurs on the output not on the input, and the submissions should be treated as such.