Tuesday, October 30, 2012

Hootsuite labels XSS


You guys use Hootsuite? It's a social media dashboard web app that is used by millions of users.

Well I found that label section on Hootsuite analytics is vulnerable to a persistent XSS (self XSS).
A user could inject any HTML or JavaScript code that will run on the active window.

Proof of concept:
<script>alert(/xss/)</script>



It's important to sanitize every user input to prevent this kind of issue.

Hootsuite security team fixed this very fast showing that some companies still care about web security.