[Stored XSS] with arbitrary cookie installation

Arbaz Hussain
1 min readSep 17, 2017

--

  • Severity : Medium
  • Complexity : Easy
  • Weakness : Trusting the cookies values without sanitizing malicious input.
  • While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie’s.
https://redacted.com/mobile-app/?refclickid=xxxxxxxxxxxxxx
  • Here problem was the value of refclickid is getting stored in Set-Cookie:Referral=CLICKID=XXXXXX

And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under <SCRIPT> TAG’s without any sanitizing user input on each and every page.

  • Attack Scenario :
  1. Attacker Send’s Victim Following URL to Set Refclickid value as XSS Payload in the cookies.
https://redacted.com/mobile-app/?refclickid=%3C%2FScRipt%3E%3CScRipt%3Eprompt(document.domain)%3B%2F%2F.

2. Set-Cookie Value has been Saved with XSS Payload .

3. When Victim Visit’s https://redacted.com/ or Any Page Under Redacted.com without any parameter XSS is Fired because Response of the Body Takes the Value of Stored Cookie and Saves them under <script> Tag’s.

--

--