Skip to content

MobSF has Stored XSS via Manifest Analysis - Dialer Code Hos... #1866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+24 −0
Open

MobSF has Stored XSS via Manifest Analysis - Dialer Code Hos... #1866

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions src/pentesting-web/xss-cross-site-scripting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1673,6 +1673,29 @@ When a backend **builds a shared SDK by concatenating JS strings with user-contr
- Example pattern (Meta CAPIG): server appends `cbq.config.set("<pixel>","IWLParameters",{params: <user JSON>});` directly into `capig-events.js`.
- Injecting `'` or `"]}` closes the literal/object and adds attacker JS, creating **stored XSS** in the distributed SDK for every site that loads it (first-party and third-party).

### Stored XSS in generated reports when escaping is disabled

If uploaded files are parsed and their metadata is printed into HTML reports with escaping disabled (`|safe`, custom renderers), that metadata is a **stored XSS sink**. Example flow:

```python
xmlhost = data.getAttribute(f'{ns}:host')
ret_list.append(('dialer_code_found', (xmlhost,), ()))
'title': a_template['title'] % t_name # %s fed by xmlhost
```

A Django template renders `{{item|key:"title"|safe}}`, so attacker HTML runs.

**Exploit:** place **entity-encoded HTML** in any manifest/config field that reaches the report:

```xml
<data android:scheme="android_secret_code"
android:host="&lt;img src=x onerror=alert(document.domain)&gt;"/>
```

Rendered with `|safe`, the report outputs `<img ...>` and fires JS on view.

**Hunting:** look for report/notification builders that reuse parsed fields in `%s`/f-strings and disable auto-escape. One encoded tag in an uploaded manifest/log/archive persists XSS for every viewer.

### Abusing Service Workers


Expand Down Expand Up @@ -2036,5 +2059,6 @@ other-js-tricks.md
- [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html)
- [MDN eval()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)
- [CAPIG XSS: postMessage origin trust becomes a script loader + backend JS concatenation enables supply-chain stored XSS](https://ysamm.com/uncategorized/2026/01/13/capig-xss.html)
- [MobSF stored XSS via manifest analysis (unsafe Django safe sink)](https://github.com/advisories/GHSA-8hf7-h89p-3pqj)

{{#include ../../banners/hacktricks-training.md}}