Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneGabriel-kimiaieH1:782764
HistoryJan 24, 2020 - 7:03 p.m.

RATELIMITED: xss in /users/[id]/set_tier endpoint

2020-01-2419:03:14
gabriel-kimiaie
hackerone.com
233
JSON

Summary:

[add summary of the vulnerability]
Hello there ! I found an XSS since you forgot to add the json content-type response header right there:
https://github.com/gtsatsis/RLAPI-v3-OOP/blob/508d3c610ccc9076753bdc81151a5e8d76871a3e/src/Controller/UserController.php#L93
The tier parameter is therefore returned with the wrong Content-Type (text/html).
I have been able to verify the existance of the XSS.
Note that you can bypass the '' added to both " & / by using comments such as:

Steps To Reproduce:

[add details for how we can reproduce the issue]

  1. Deploy to a test instance
  2. Create one admin user with correct api key filled in the database
  3. the /users/[id]/set_tier β€œtier” POST parameter is vulnerable to XSS injection.

Supporting Material/References:

  • Selection_033.png =>burp capture attached

Impact

Reflected cross site scripting should be fixed, as an user might be able to steal cookies/escalate privileges.

JSON