U.S. Dept Of Defense: Stored XSS through name / last name on https://██████████/

2021-01-06T09:28:37
ID H1:1072616
Type hackerone
Reporter nagli
Modified 2021-03-11T20:53:52

Description

Description: There is stored XSS Vulnerability on https://█████/██████ by rendering unsafe input being registered on the account name and last name.

███

Step-by-step Reproduction Instructions

  1. Navigate to javascript https://█████/login/?next=/███%3Fresponse_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252F████████%252Fcgi%252Flogin.cgi%253Freturn_to%253Dhttps%25253A%25252F%25252F███████%25252Fcgi%25252Fmyaccount.cgi%26client_id%3D6G3AXPQNPXK5SVESYCB8AMCPHQQ3ENCRK8G2QNWY%26state%3DBEAEb6NGMQ7kWZwZS2pNNFv4p7JwBk86%26scope%3Dopenid%2520profile
  2. Create your account, with your name as <IMG SRC=X ONERROR=ALERT(1)>
  3. Log in and navigate to https://███/██████

Suggested Mitigation/Remediation Actions

Sanitizing the input on the account name fields will prevent the issue.

Best Regards

nagli

Impact

Executing javascript on behalf of the victim