Banco Guayaquil Mobile iOS Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in the Banco Guayaquil mobile application for iOS, version 8.0.0. The issue resides in the 'TextBox Name Profile' input, where attackers can inject malicious script code via a POST request. This injected script executes automatically during application review, without any user interaction.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed automatically in the context of the application.

Reproduction

To reproduce this vulnerability, install the Banco Guayaquil mobile iOS application version 8.0.0. After installation, add a new profile name using the 'TextBox Name Profile' input, injecting a script code payload. Save the profile, then close and reopen the application. The injected script will execute automatically during the review process, demonstrating the cross-site scripting vulnerability.

Remediation

The vulnerability can be fixed by properly encoding and sanitizing the input before processing it, as well as cleaning the output before it is displayed in the application.