TD Bank: Reflected XSS on Admin Login Page

When you try to access private pages on the domain https://td.intelliresponse.com/a6 you are redirected to a login page, which has reflected values in the DOM from the URL on the parameter ‘win’. Once there is no proper handle for the data reflected, it turns out into a vulnerable path on the application that could be used to perform a Cross Site Scripting attack.

Proof of Concept

Access the current URL and the alert with your cookie will pop up on the screen: https://td.intelliresponse.com/a6/shared/popupLogin.jsp?win="><script>alert(document.cookie)</script>

Steps To Reproduce:

1. Access the endpoint https://td.intelliresponse.com/a6
2. Now redirected to the login page, see the win parameter on the URL and modify with some payload starting with ">, and add some text or script in front.
3. See on your screen the payload completed reflected.

Supporting Material/References:

{F2149294}

Recommendation/Remediation/Fix:

Mitigations for XSS typically involve sanitizing data input (to make sure input does not contain any code), escaping all output (to make sure data is not presented as code), and re-structuring applications so code is loaded from well-defined endpoints.

Impact

An attacker could craft a payload to extract user admin credentials or steal his session and could perform several damages to the application by abusing the admin privilege, reading private data, or even taking over users accounts.