Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBugraH1:1558010
HistoryMay 03, 2022 - 3:29 p.m.

HackerOne: Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid}

2022-05-0315:29:14
bugra
hackerone.com
45
JSON

Summary:
Hi,

While researching PullRequest yesterday, I saw some “review” endpoints in web archive of “app.pullrequest.com”. (http://web.archive.org/cdx/search/cdx?url=app.pullrequest.com/*&output=text&fl=original&collapse=urlkey)

One of them was https://app.pullrequest.com/reviews/ratings/6eaa6b75-b958-4530-ba46-0d00cbe74e0b/false , I went to that endpoint and filled the all fields with my blind XSS payload.
'"&gt;<img src>

This payload sends an alert to my blind XSS application in ██████

Today (May 3, 2022, 6:09 pm UTC+3), I got a lot of alerts from https://app.pullrequest.com/███. I checked the report and I see it came from an PullRequest admin who checks reviews.

Here is a screenshot from the report :

███████

I checked the HTML source code and I see my payload reflected to Disliked_reviewers, Liked_reviewers and Reasons fields without any encoding.

You can also check the source code : █████████

Impact

Blind XSS in PullRequest admin portal

Regards,
Bugra

JSON