Cross-site Scripting (XSS) - Generic in octoprint/octoprint
Apr 20th 2022
The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting (XSS
Proof of Concept
Login to the application
Now go to settings -> Webcam & Timelapse -> Stream URL and insert the payload
"<img src=1 onerror=alert(document.cookie)> in the Stream URL and click on "Test"
You will see that its making a internal GET request
User accounts can be hijacked, credentials could be stolen, sensitive data could be exfiltrated, and lastly, access to your client computers can be obtained.