Stored XSS in application name. in autolab/autolab


Reported on

May 11th 2022


Hi there, there is a stored XSS in Oauth application name.

Proof of Concept

  1. Install a local instance of Autolab.
  2. Go to /oauth/applications and create a new application with name <img src=a onerror=alert(document.cookie)>.
  3. Click on Authorize and see that a pop up appears with user's cookies.

Link to POC


Stored XSS, cookies steal.

We are processing your report and will contact the autolab team within 24 hours. 17 days ago
We have contacted a member of the autolab team and are waiting to hear back 16 days ago
Joey Wildman modified the Severity from Critical to Low 15 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joey Wildman validated this vulnerability 15 days ago

We have verified this issue and are working on a fix.

justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Damian Ho confirmed that a fix has been merged on a0a241 14 days ago
Damian Ho has been awarded the fix bounty
to join this conversation