Search This Blog

Persistent XSS vulnerability in Zendesk Support Ticket System

Critical Persistent Cross Site scripting vulnerability in Zendesk. Thousands of TOp sites affected by this vulnerability.
An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.

The title field is vulnerable to Persistent Cross site scripting.   The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.  

Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.

The title is being sanitized every time it is being displayed in the page.  Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.


POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-

The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.

The researcher claimed to have contacted the Zendesk but there is response from their side.  I've also sent notification to Zendesk. 
Share it:

Breaking News

Persistent Cross Site Scripting

Vulnerability

XSS Vulnerability