[Stored XSS] with arbitrary cookie installation
1 min readSep 17, 2017
- Severity : Medium
- Complexity : Easy
- Weakness : Trusting the cookies values without sanitizing malicious input.
- While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie’s.
https://redacted.com/mobile-app/?refclickid=xxxxxxxxxxxxxx
- Here problem was the value of refclickid is getting stored in Set-Cookie:Referral=CLICKID=XXXXXX
And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under <SCRIPT> TAG’s without any sanitizing user input on each and every page.
- Attack Scenario :
- Attacker Send’s Victim Following URL to Set Refclickid value as XSS Payload in the cookies.
https://redacted.com/mobile-app/?refclickid=%3C%2FScRipt%3E%3CScRipt%3Eprompt(document.domain)%3B%2F%2F.
2. Set-Cookie Value has been Saved with XSS Payload .
3. When Victim Visit’s https://redacted.com/ or Any Page Under Redacted.com without any parameter XSS is Fired because Response of the Body Takes the Value of Stored Cookie and Saves them under <script> Tag’s.