Rockstar Games: DOM based reflected XSS in through cross domain ajax request

ID H1:172843
Type hackerone
Reporter zombiehelp54
Modified 2017-03-17T15:06:23


Hi, I have found a reflected XSS issue in which is , IMO , somekinda tricky.


  • URL:\%2e%2e\%2e%2e\%2e%2e\comments_dal\users\getGlobalLoginSettings%2ejson?callback=alert(%2fxss%2f);%2f%2f
  • Vulnerable Parameter: #/?tags=
  • Payload: \%2e%2e\%2e%2e\%2e%2e\comments_dal\users\getGlobalLoginSettings%2ejson?callback=alert(%2fxss%2f);%2f%2f


The value of the tags parameter is sent as an XHR request to /newswire/tagContent/[tags_param]/1 and the response gets printed in the page , also I have found that if the content-type of the response is application/javascript , it gets executed as javascript. After digging for a while I found this endpoint which returns a callback function in the response if the request is XHR. so I used the callback function to execute javascript through ?callback=alert(/xss/);//