Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneNeg0xH1:2434904
HistoryMar 26, 2024 - 4:32 p.m.

U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████

2024-03-2616:32:56
neg0x
hackerone.com
9
reflected cross-site scripting
search query
javascript execution
html tag injection
input sanitization
bug bounty

7.4 High

AI Score

Confidence

High

JSON

Hi team

I found a reflected xss via search query on ████████ that allows an attacker to execute Javascript code into victim’s browser.

PoC

1- Doing subdomain enumeration of ██████████, i found the following one: ████████
2- On the search query i saw that is injecting inside an h6 html tag:

██████████

3- So to html escape, i used the following payload to trigger the XSS: </h6>&lt;image/src/onerror=alert(document.cookie)&gt;

████

Impact

An incorrect sanitization of search query parameter allows an attacker to execute JS code into victim’s browser.

System Host(s)

████

Affected Product(s) and Version(s)

CVE Numbers

Steps to Reproduce

Proof-of-concept above on the description.

Suggested Mitigation/Remediation Actions

Sanitize input data from the user to avoid html/XSS injections.

7.4 High

AI Score

Confidence

High

JSON