{"id":214,"date":"2021-01-29T00:24:00","date_gmt":"2021-01-28T17:24:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=214"},"modified":"2024-12-15T00:36:15","modified_gmt":"2024-12-14T17:36:15","slug":"300-bounty-for-exploiting-dom-based-xss","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/300-bounty-for-exploiting-dom-based-xss\/","title":{"rendered":"$300 Bounty for Exploiting DOM-based XSS"},"content":{"rendered":"\n

While analyzing XING’s event management platform, I identified a reflected XSS vulnerability<\/strong> in the way event IDs are handled. The vulnerability occurs because the input is improperly sanitized in a JavaScript context, allowing an attacker to inject and execute arbitrary JavaScript by exploiting unsanitized double quotes.<\/p>\n\n\n\n

I started by inspecting how event pages are loaded on XING. The following URL is used to display event information:<\/p>\n\n\n\n

https:\/\/www.xing-events.com\/HBKCRJV.html<\/code><\/pre>\n\n\n\n
The event ID (HBKCRJV<\/code>) is dynamically inserted into a JavaScript snippet:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
iframeVWO<\/span>.<\/span>src<\/span> <\/span>=<\/span> <\/span>"<\/span>https:\/\/vwo.xing-events.com\/HBKCRJV.html?language=de<\/span>"<\/span>;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
While the application properly sanitized special characters like <<\/code> and ><\/code>, double quotes (\"<\/code>) were not handled correctly. This allowed me to inject a malicious payload.<\/p>\n\n\n\n
I tested the following payload to confirm the vulnerability:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
"<\/span>-alert(1)-<\/span>"<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
This resulted in the following URL:<\/p>\n\n\n\n
https:\/\/www.xing-events.com\/HBKCRJV%22-alert(1)-%22.html<\/code><\/pre>\n\n\n\n
When accessing the crafted URL, the malicious payload was reflected in the JavaScript code:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
iframeVWO<\/span>.<\/span>src<\/span> <\/span>=<\/span> <\/span>"<\/span>https:\/\/vwo.xing-events.com\/HBKCRJV<\/span>"<\/span>-<\/span>alert<\/span>(<\/span>1<\/span>)<\/span>-<\/span>"<\/span>.html?language=de<\/span>"<\/span>;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
This broke out of the original JavaScript string, allowing the injected payload (alert(1)<\/code>) to execute.<\/p>\n\n\n\n
To reproduce the XSS vulnerability, open the following URL in a browser:<\/p>\n\n\n\n
https:\/\/www.xing-events.com\/HBKCRJV%22-alert(1)-%22.html<\/code><\/pre>\n\n\n\n
This triggers the injected JavaScript payload, demonstrating the vulnerability.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Timeline<\/h3>\n\n\n\n
    \n
  • 22\/12\/2020<\/strong>: Report submitted.<\/li>\n\n\n\n
  • 22\/12\/2020<\/strong>: Vulnerability triaged.<\/li>\n\n\n\n
  • 22\/12\/2020<\/strong>: Bounty of $300 awarded.<\/li>\n\n\n\n
  • 26\/01\/2021<\/strong>: Bug fixed.<\/li>\n<\/ul>\n\n\n\n
    This issue highlights the importance of properly sanitizing all user inputs, especially when they are reflected in a JavaScript context. Ensuring that all characters, including double quotes, are properly escaped can prevent similar vulnerabilities.<\/p>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    While analyzing XING’s event management platform, I identified a reflected XSS vulnerability in the way event IDs are handled. The vulnerability occurs because the input is improperly sanitized in a JavaScript context, allowing an attacker to inject and execute arbitrary JavaScript by exploiting unsanitized double quotes. I started by inspecting how event pages are loaded […]<\/p>\n","protected":false},"author":2,"featured_media":216,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-214","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=214"}],"version-history":[{"count":1,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/214\/revisions"}],"predecessor-version":[{"id":217,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/214\/revisions\/217"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/216"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}