Introducing Evil In Your Website With Untrusted Third Party Scripts


This is a small case study, where my aim is to explain why you shouldn't use untrusted third party scripts on your website. Htmlcommentbox is a third part script that could be embedded into any webpage would bring a place where users can comment and interact with each, I feel it is poorly coded from both user's perspective and security perspective as it could introduce lots of spam in your website.

Let's talk about what else could it do else than introducing spam from security perspective. We [Me and Pepe Vila] have found two attack vectors with the HtmlCommentBox as Does not sanitise the user input's properly resulting in a stored xss and also a reflected xss, which obviously leaves wide variety of attack vectors from the attacker's perspective.

Stored XSS POC

The POC is very simple, Seems like that you can inject any thing as long as you don't close the tag:

Example: