Mindoktor: XSS at endpoint clinic.mindoktor.se in flash cookie

2016-10-20T13:46:19
ID H1:177041
Type hackerone
Reporter dmatrix503
Modified 1970-01-01T00:00:00

Description

Issue : XSS found at endpoint clinic.mindoktor.se/user/login

Endpoint :clinic.mindoktor.se/user/login

Steps of reproduction
1 . Go to above Endoint 2. enter random email and password 3. Intercept the request with a sniffer Like Burp Suit 4. Change the email parameter to &email=%00%00error%3A%3C%2fstrong%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2fscript%3E%00%3B 5. Server shows the response as in cookie clinic_v2.52_FLASH=%00email%3A%00%00error%3A%3C%2Fstrong%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%00%3B%00%00error%3AFelaktig+e-postadress+eller+l%C3%B6senord.%00;

  1. Now see the rendering in any latest browser and BAM!! ""XSS POPUP!!""

Proof: {F129081} AND {F129082}

Problem: The user input on email is being directly put inside cookie and not sanitised

ATTACK SCENARIO Attacker sents malformed webpage to a already logged in user , XSS do its jobs , and token are stolen

Thank You