Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user.

When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.

Business Impact

Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

1. Setup Confluence Cloud and install External Share app.

2. Create a new page in any Confluence space as the parent page:

   • Click Create button on the top bar, select Page.

   • Give the page a title.

   • Publish the page.

3. Create a child page under the parent page with XSS payload:

   • Still on the published page, click Create button on the top bar, select Page.

   • Enter the following encoded XSS payload as the title: Bugcrowd <img src onerror="alert('XSS! at '+origin)">

   • Publish the page.

4. Create External Share in the parent page with Search pages enabled:

   • Go to the parent page.

   • Under the page title, click the yellow paper plane icon (External Share).

   • Click Create External Share Link button.

   • Tick the Share child pages checkbox.

   • Tick the Search pages checkbox.

5. Trigger the XSS:

   • Open the external share link (from the URL field).

   • Observe the search bar on top-right.

   • Enter Bugcrowd in the search bar to find the XSS page.

   • An alert will pop up, confirming JavaScript is executed.