HIGH CVSS: 7.6 RESOLVED Web Security

Stored XSS in Master Kategori Produk Hukum

A stored Cross-Site Scripting vulnerability was discovered in the Master Kategori Produk Hukum functionality. Injected JavaScript payloads were stored by the application and executed when the affected page was rendered, demonstrating insufficient input sanitization and unsafe output handling.

Platform
BSSN / Government Bug Bounty
Program
Government Program
Target
Government Legal System
Read Time
12 min

Attack Chain 5 stages

1
Input Submission
2
Stored Payload
3
Unsafe Rendering
4
JavaScript Execution
5
Administrative Impact

Disclosure Timeline

2025-04-20 Target application identified during program scope review
2025-04-22 Master Kategori Produk Hukum feature mapped as attack surface
2025-04-23 Input reflection confirmed — no output encoding detected
2025-04-24 Stored XSS payload confirmed via alert(document.domain)
2025-04-25 Impact validated across multiple user sessions
2025-04-26 Report submitted through official BSSN program
2025-05-05 Report triaged as High severity
2025-05-10 Patch deployed, input sanitization and output encoding added

Reconnaissance

During reconnaissance of the government legal management platform, all administrative data management interfaces were mapped. The "Master Kategori Produk Hukum" (Legal Product Category Management) feature was identified as a high-value target due to its role in storing and displaying categorization data across multiple views. Input fields including category name, description, and metadata were systematically tested for injection vulnerabilities using Burp Suite and browser DevTools.

Vulnerability Discovery

The category name input field accepted arbitrary HTML and JavaScript without any server-side or client-side input validation. When a new category was created with a crafted payload, the input was stored directly in the database and subsequently rendered without output encoding on the category listing page, the category detail view, and the administrative dashboard. This confirmed a classic stored (persistent) XSS vulnerability.

Filter Bypass Analysis

Payloads are intentionally sanitized for responsible disclosure and portfolio presentation.

Direct HTML tags in category name field — NOT BLOCKED
JavaScript event handlers (onerror, onload) — NOT BLOCKED
<script> tag injection — NOT BLOCKED
No Content Security Policy (CSP) header detected
No input length restriction on category name field
No server-side sanitization or WAF filtering observed
Output rendered without HTML entity encoding

Payload Analysis

All payloads below are sanitized proof-of-concept examples. No active exploitation code is shown.

Step 1: HTML injection test
✓ SUCCESS 
<b>test</b><i>italic</i>
NOTE: HTML tags rendered in the output — confirms no sanitization on input or output
Step 2: Basic XSS payload
✓ SUCCESS 
<script>alert(document.domain)</script>
NOTE: alert(document.domain) fires on page load — stored XSS confirmed
Step 3: Event handler payload
✓ SUCCESS 
<img src=x onerror=alert(document.domain)>
NOTE: Alternative vector confirmed — event handler XSS also works
Step 4: DOM context validation
✓ SUCCESS 
"><img src=x onerror=alert(document.domain)>
NOTE: Attribute context breakout — payload executes when category is viewed by any user

Tooling

Burp Suite — intercepting and modifying form submissions
Browser DevTools — inspecting stored output in DOM and confirming execution
Manual payload crafting — testing input sanitization boundaries
OWASP WSTG — systematic testing methodology (WSTG-INPV-02)

Chaining Strategy & Escalation

The stored XSS executes every time any user (including administrators) views the category listing page. Since the payload is persistent, it does not require user interaction beyond normal navigation. In a real attack scenario, this could be weaponized for: (1) session hijacking by stealing admin cookies, (2) administrative account takeover via session token exfiltration, (3) keylogging on administrative pages, (4) defacement of the legal document management system, or (5) phishing by injecting fake login forms into the trusted government domain. The PoC was limited to alert(document.domain) to demonstrate impact without causing harm.

Root Cause Analysis

The application stored user-supplied input directly into the database without any input validation or sanitization. When rendering the stored data, the application inserted it directly into the HTML response without context-aware output encoding. There was no Content Security Policy (CSP) header configured to mitigate inline script execution. The fundamental issue is a lack of defense-in-depth: no input validation, no output encoding, and no CSP — all three layers were missing.

Impact Assessment

Persistent JavaScript execution affecting all users viewing the category page
Potential administrative session hijacking via stored payload
Risk of government platform defacement through DOM manipulation
Credential harvesting via injected phishing forms on trusted domain
Data integrity risk — stored content could be modified by injected scripts
Reputational damage to government digital infrastructure

Remediation

Implement context-aware output encoding (HTML entity encoding) for all user-supplied data rendered in HTML context
Add server-side input validation with an allowlist approach for category names
Deploy a Content Security Policy (CSP) header that restricts inline script execution
Use a well-tested sanitization library (e.g., DOMPurify or OWASP Java Encoder) for any stored content rendering
Add HttpOnly and Secure flags to all session cookies to mitigate cookie theft even if XSS occurs
Implement input length restrictions on all form fields to reduce attack surface

This case study follows responsible disclosure practices. All sensitive data including endpoints, credentials, customer information, and active exploitation payloads have been redacted or sanitized. The vulnerability was reported through the official bug bounty program and has been resolved.