Cloudflare: XSS - http://js.cloudflare.com

2014-04-22T02:12:15
ID H1:8920
Type hackerone
Reporter dekeeu
Modified 2014-05-22T03:15:19

Description

Hi.

I want to report to you a Reflected XSS(cross site scripting) vulnerability that I found in Cloudflare web-application and in a considerable percent can affect the safety of the users . Generally, an "attacker" can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted and will execute the script.

The link where you can see a PoC is: http://js.cloudflare.com/xss%22onload=%22alert%281%29

Steps for reproduce this flaw: Open the link above in a web browser (I recommend Mozilla Firefox or Opera) and you can see that an alertbox will appear , so my javascript function was successfully executed.

Regards, Coltuneac Alexandru