U.S. Dept Of Defense: Reflected cross-site scripting vulnerability on a DoD website

2020-01-14T14:53:26
ID H1:774792
Type hackerone
Reporter arman95
Modified 2020-05-14T17:10:13

Description

Hello there !

I'd like to report a 'XSS' vulnerability on a DoD website *https://███/unit/███ , Here in the search engine of the website please enter the following payloads <script>alert(document.domain)</script> & you can even use this payload to steal cookies <script>alert(document.cookie)</script> and hit enter and just scroll you're mouse below the Term: <script>alert(document.domain)</script> to the three icons and as soon as you scroll you're mouse over that three icons you will notice the " pop-up "

FOR CLEAR DEMONSTRATION OF THE VULNERABILITY PLEASE REFER TO THE PROOF-OF-CONCEPT ATTACHED TO THIS REPORT.

Thanks, ████

Impact

XSS vulnerabilities can be used to trick a web user into executing a malicious script, potentially revealing a user's web session information or modify web content & even steal cookies.