BugForge - Daily - Ottergram (Repeat)
Daily - Ottergram (Repeat)
This is a repeat of the daily challenge from January 24th, 2026.
Vulnerability Overview
The Ottergram application contains a Stored Cross-Site Scripting (XSS) vulnerability in the messaging functionality where user input is rendered using React’s dangerouslySetInnerHTML without proper server-side sanitization. While the frontend applies input sanitization, this can be bypassed by intercepting and modifying requests before they reach the server. By injecting a malicious payload into a message, an attacker can execute arbitrary JavaScript in the context of another user’s browser session. This was exploited using Out-of-Band (OOB) data exfiltration to retrieve the victim’s localStorage contents, including sensitive session data, by sending it to an attacker-controlled server via an injected image tag with an error handler.
Key Issues:
- User-controlled message content is rendered using
dangerouslySetInnerHTMLwithout server-side sanitization - Client-side input validation can be bypassed by intercepting and modifying HTTP requests directly
- The backend trusts that the frontend has sanitized user input, violating the principle of never trusting client-side validation
Vulnerabilities Covered
- Cross-Site Scripting (XSS) - Stored
- Out-of-Band (OOB) Data Exfiltration
Classification
- OWASP Top 10: A03:2021 - Injection (Cross-Site Scripting)
- Vulnerability Type: Stored XSS with Out-of-Band Data Exfiltration
- Attack Surface: Messaging functionality with unsanitized HTML rendering
- CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation