XSS IN SOQL Console
Bug Bounty Findings
Summary
Since the report is still pending resolution, let's consider the target as "redacted.com." It is a website management dashboard accessible at "dashboard.redacted.com" that enables administrators to have control over their website located at "site.redacted.sites."
XSS
I discovered that the dashboard provided the admin with the ability to execute SQL queries. Intrigued by this functionality, I decided to test it out by attempting to run the following query:
Upon executing the query, the output displayed only the users that I had created while conducting tests on "site.redacted.sites." Subsequently, I returned to "site.redacted.sites" and proceeded to create a new user, populating their data with XSS payloads. After executing the query once again, the data appeared on the dashboard;however, The payload didn't work because it was encoded.
More digging:
Upon further investigation, I discovered that the query is being sent via an XHR (XMLHttpRequest) request to the following endpoint:
Now,By accessing this endpoint and modifying the query to
Upon visiting the endpoint, I observed that it returns the user data in HTML format rather than JSON. However, to my surprise, I encountered an alert message displayed directly on the webpage. This XSS vulnerability appears to impact not only the admins of the dashboard but also anyone who has access to the QueryConsole.
CSRF Further More
Initially, I mistakenly assumed that the console functioned as an SQL console, so I attempted to perform a CSRF attack aimed at coercing the admin to modify user data. Although the CSRF attack was successful, it did not result in any updates since the query did not function as intended. Upon further examination, I realized that the console actually employs SOQL (Salesforce Object Query Language) rather than SQL. It became apparent that SOQL is primarily used for fetching data rather than modifying it. As a result, I promptly reported the XSS vulnerability after conducting some initial testing.
Last updated