Cross-site Scripting (XSS) - Stored in arachnys/cabot


Reported on

Sep 5th 2020


Executed Persistent stored XSS in cabot check settings, as well as the address field. As per CVEs present Stored XSS is a High Severity bug.

Proof of Concept

  1. setup cabot to reproduce the vulnerability
  2. create an account now login to the account
  3. Go to checks Create and navigate to http check, In the Endpoint column append a XSS payload. You can also create
  4. Now we can see a failed check now click run button in that checks
  5. XSS triggered we got output.
  6. If we try again the persistant XSS get triggered


Able to execute Persistent stored XSS payloads in cabot which can be used to capture user cookie.

to join this conversation