Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/page/

2020-05-05T13:53:05
ID H1:866433
Type hackerone
Reporter powerpuff
Modified 2020-05-12T13:49:07

Description

Summary:

Hi :) A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/doeditattachment.action when editing wiki pages attachments.

Steps To Reproduce:

A user can add attachments on https://apps.topcoder.com/wiki/pages/viewpageattachments.action?pageId=165871793 a wiki page and can edit on https://apps.topcoder.com/wiki/pages/editattachment.action?pageId=165871793&fileName=sss.svg. If there is an error, user redirected to doeditattachment path with an error message. An attacker can change the filename parameter and add JS codes. When a victim opens this url, XSS will execute.

PoC: https://apps.topcoder.com/wiki/pages/doeditattachment.action?pageId=165871793&fileName=s%22%3E%3Cimg%20src=X%20onerror=alert(document.domain)%3Ess.svg {F816100}

Impact

XSS can use to steal cookies or to run arbitrary code on victim's browser.