Help Center
Back to all posts

Vulnerability Disclosure Report Title: Cross-Site Scripting (XSS) Vulnerability in Profile Edit Section

Summary

A Cross-Site Scripting (XSS) vulnerability was identified in the profile editing functionality of RemoteOK. The application fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary JavaScript.

If exploited, this could allow attackers to execute scripts in the context of a victim’s browser, leading to account takeover, credential theft, phishing, and reputation damage.

Affected Endpoint(s)

https://remoteok.com/@<username>?edit=1

Vulnerability Details

During testing, several XSS payloads were injected into editable profile fields. Instead of being properly sanitized or encoded, the payloads were processed and caused unexpected JavaScript execution or application errors.

Working Payloads Tested:

"><script>alert('XSS')</script> <svg/onload=alert(1337)> <img src=x onerror=alert(document.cookie)>

Behavior Observed:

  • Payload 1:
    "><script>alert('XSS')</script>
    → Injected script tags caused a JavaScript popup when rendered.

  • Payload 2:
    <svg/onload=alert(1337)>
    → Triggered JavaScript execution via the SVG element’s onload event.

  • Payload 3:
    <img src=x onerror=alert(document.cookie)>
    → Caused a popup displaying the victim’s cookies, proving that session hijacking would be possible if exploited.

Proof of Concept (PoC)

  1. Log in to RemoteOK and go to:

    https://remoteok.com/@<username>?edit=1Save the profile.

  1. Log in to RemoteOK and go to:

    https://remoteok.com/@<username>?edit=1

  2. In the skills or other free-text input field, insert the payload:

    <svg/onload=alert(1337)>

  3. Save the profile.

  4. Navigate to the profile view page.

  5. Observe the XSS popup firing in the browser.

Security Impact

  • Account Hijacking: Attackers can steal session cookies using payloads like <img src=x onerror=alert(document.cookie)>.

  • Phishing Attacks: Injected scripts can display fake login prompts.

  • Defacement: Attackers can alter profile content or inject malicious links.

  • Worm-like Propagation: Malicious payloads could automatically spread if profiles are viewed by multiple users.

Severity: High (CVSS 7.4–8.8)

Recommendations

  1. Properly Escape and Encode Output – Encode user input before inserting into the DOM.

  2. Sanitize User Input – Strip dangerous HTML/JavaScript with libraries like DOMPurify.

  3. Enforce CSP (Content Security Policy): Prevent inline scripts and unsafe eval.

  4. Validate on Both Client & Server Side: Reject unexpected tags, event handlers, and script injection attempts.

Disclosure Timeline

  • 2025-08-21 – Vulnerability discovered.

  • 2025-08-21 – Report drafted.

  • Pending – Disclosure to RemoteOK team.

✉️ Reporter Contact: Himangshu Sarkar – himangshusarkar622@gmail.com

Please authenticate to join the conversation.

Upvoters
Status

Completed

Board

🛰 Remote OK

Date

7 months ago

Subscribe to post

Get notified by email when there are changes.