[Stored XSS] with arbitrary cookie installation

  • Severity : Medium
  • Complexity : Easy
  • Weakness : Trusting the cookies values without sanitizing malicious input.
  • While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie’s.
  • Here problem was the value of refclickid is getting stored in Set-Cookie:Referral=CLICKID=XXXXXX

And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under <SCRIPT> TAG’s without any sanitizing user input on each and every page.

  • Attack Scenario :
  1. Attacker Send’s Victim Following URL to Set Refclickid value as XSS Payload in the cookies.

2. Set-Cookie Value has been Saved with XSS Payload .

3. When Victim Visit’s https://redacted.com/ or Any Page Under Redacted.com without any parameter XSS is Fired because Response of the Body Takes the Value of Stored Cookie and Saves them under <script> Tag’s.

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store