[BUG] XSS Vulnerability in DeepSeek AI

[0xSaikat]

A Cross-Site Scripting (XSS) vulnerability has been identified in DeepSeek AI, which allows an attacker to inject and execute arbitrary JavaScript code. This vulnerability could be exploited to compromise user sessions, steal sensitive information, or conduct phishing attacks.

Steps to Reproduce:

1. Inject the following payload into an input field that reflects output without proper sanitization:

<iframe srcdoc="

Ethically hacked by 0xSaikat (হা.. হা.. হা.. এটাই বাস্তব, I love you)

" onload="alert('XSS by 0xSaikat - (হা.. হা.. হা.. এটাই বাস্তব, I love you)')"></iframe>

2. When the affected page loads, the JavaScript executes, displaying an alert box.

Expected Behavior:

• The application should sanitize user input and prevent script execution.
• HTML tags and JavaScript should not be rendered or executed.
• The input should be displayed as plain text if reflected.

Actual Behavior:

• The input is improperly sanitized, allowing execution of the injected JavaScript.
• The alert box appears, confirming the execution of arbitrary JavaScript in the victim's browser.
• This can lead to session hijacking, phishing attacks, or malicious redirections.

PoC: https://www.linkedin.com/posts/0xsaikat_cybersecurity-bugbounty-xss-activity-7291490988076732416-bnVJ?utm_source=share&utm_medium=member_desktop

Impact:

• Malicious actors could use this vulnerability to execute arbitrary JavaScript in a victim's browser.
• Possible session hijacking, credential theft, and phishing attacks.

Recommendation:

• Implement strict input validation and output encoding (e.g., using htmlspecialchars() or equivalent).
• Use a Content Security Policy (CSP) to restrict inline script execution.

Thank you and have a great day!

[bitst0rm]

Similar expert #514