Summary:
Hi,
While researching PullRequest yesterday, I saw some “review” endpoints in web archive of “app.pullrequest.com”. (http://web.archive.org/cdx/search/cdx?url=app.pullrequest.com/*&output=text&fl=original&collapse=urlkey)
One of them was https://app.pullrequest.com/reviews/ratings/6eaa6b75-b958-4530-ba46-0d00cbe74e0b/false , I went to that endpoint and filled the all fields with my blind XSS payload.
'"><img src>
This payload sends an alert to my blind XSS application in ██████
Today (May 3, 2022, 6:09 pm UTC+3), I got a lot of alerts from https://app.pullrequest.com/███. I checked the report and I see it came from an PullRequest admin who checks reviews.
Here is a screenshot from the report :
███████
I checked the HTML source code and I see my payload reflected to Disliked_reviewers
, Liked_reviewers
and Reasons
fields without any encoding.
You can also check the source code : █████████
Blind XSS in PullRequest admin portal
Regards,
Bugra