XSS is Dead!!! NaN…You don't get it.
Hello everyone! This is my second XSS writeup followed by this one. This blog will see how we can get the XSS using one of the cookie parameters. So let us start :)
I was testing a private program on HackerOne. This website had some pretty Good Features and One of them was posting your land details for lending and resale.
It is more likely that these kinds of features will contain bugs. My attention was immediately drawn to this feature, so I started testing it right away.
There are several bugs there, including IDOR, and CSRF, and I have not been able to exploit any of them as the code properly validates every single endpoint with an authentication token and a CSRF token. No bypass worked either.
while checking, I was giving invalid inputs in the URL to check any error handling issues, it will redirect the 404 page. In that also no input parameters so I left that one behind and moved on.
After two days of testing the application by many approaches, got nothing.
Checking the 404 page again, I noticed that there are many cookie parameters going on the request. I have found out that the “anonymous_id” cookie parameter value was reflected on the application page.
I just tried injecting payload by closing the script tag and giving the basic XSS payload then Boom😎
Woolaaaa….got a pop-up finally..!!
Remediation:
- Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain.
- User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > “ ‘ and =, should be replaced with the corresponding HTML entities (< > etc).
Tips:
Never forget to test all input fields, cookies, headers etc., on any website, no matter how small it was.
That’s it. See you in the next write-up.
Connect me on LinkedIn or Twitter
Timeline
22:08, 12 Sep 2022: Reported the bug
04:00, 13 Sep 2022: Trigged
