# Exploit Title: SIAKAD STEKOM - Stored XSS Vulnerability in Footer # Date: 2025-05-22 # Exploit Author: 6ickzone ([email protected]) # Vendor Homepage: https://www.stekom.ac.id/ # Software Link: https://siakad2.stekom.ac.id/loginsiakad/login # Category: Webapps # CVE: N/A # CWE: CWE-79 ## Description: A stored XSS vulnerability was discovered on the login page of SIAKAD STEKOM (https://siakad2.stekom.ac.id/loginsiakad/login), specifically within the footer text input. Malicious JavaScript payloads can be injected and stored, which will be executed every time the page is loaded, potentially compromising cookies or session tokens. # Vulnerable Parameter: Username field on the login page (https://siakad2.stekom.ac.id/loginsiakad/login) # Payload: ## Payload (Proof of Concept): "><svg/onload=alert('XSS')> ## Impact: - Cookie/session hijacking - Redirection to malicious websites - Phishing attacks on users/admins ## Recommendation: - Apply output encoding on all dynamic content (footer section). - Sanitize inputs before storage. - Implement Content Security Policy (CSP). ## Tested On: - Chrome v123 - Firefox v120