HipChat - The Polly Integration add-on is vulnerable to Stored XSS attack.

Filed on behalf of a customer who reproduced this taking the following steps:

Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

In this case, the malicious code can be placed into the option field of the Polly Add-on. This input will persist and execute each time a user interacts with the created Poll.

Penetration Testing Team logged into to HipChat and joined the Penetration Testing Room. The team browsed through the Integration Add-ons and added the Polly Add-on. This Add-on gives any room the ability to host polls that all members of the room are able to click on and vote. When creating a poll a malicious attacker could include the XSS payload in one of the option fields. Any user that joins the room and clicks on any of the polls that include this will execute the code.

1. The team creates a new room and at the bottom right clicks the "Integrations" button
2. The team proceeds and clicks the "Install new integrations" button.
3. The team locates and clicks the "Polly" Add-on.
4. The user that created the room is the "Owner", and has the ability to approve any add-on being installed.
5. The team has the ability to view the syntax and create a poll in the room.
6. By using the following Polly command, the team creates a new poll with the XSS payload: /poll create for 5 min "Name Of Poll" "Poll Option 1" "<details/open/ontoggle=prompt(1)>"
7. Any user that clicks on the poll link will be prompted to "vote". If the user clicks on the poll that contains the XSS the code will execute.
8. XSS execution.