{"id":95,"date":"2020-07-17T10:34:00","date_gmt":"2020-07-17T03:34:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=95"},"modified":"2025-10-14T22:57:11","modified_gmt":"2025-10-14T15:57:11","slug":"reflected-xss-on-att","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/reflected-xss-on-att\/","title":{"rendered":"Reflected XSS on AT&T"},"content":{"rendered":"\n

While performing a Google Dork search for potential vulnerabilities, I used the following query to target AT&T’s website:<\/p>\n\n\n\n

site:att.com ext:jsp<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Discovery of the Vulnerable Page<\/h4>\n\n\n\n
Using this search, I found the following URL:<\/p>\n\n\n\n
https:\/\/www.att.com\/esupport\/serviceInterstitial.jsp<\/code><\/pre>\n\n\n\n
I then used Arjun<\/strong> to identify any unique parameters on the page.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Unusual Parameter Behavior<\/h4>\n\n\n\n
Upon examining the parameters, I noticed something interesting. One parameter’s value was not wrapped in double quotes (\"<\/code>) but was encoded as &quot;<\/code>. Here’s the request and response:<\/p>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.att.com\/esupport\/serviceInterstitial.jsp?source=test<\/code><\/pre>\n\n\n\n
Response:<\/strong><\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span>