[Stored XSS] with arbitrary cookie installation

• Severity : Medium
• Complexity : Easy
• Weakness : Trusting the cookies values without sanitizing malicious input.

• While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie’s.

https://redacted.com/mobile-app/?refclickid=xxxxxxxxxxxxxx

• Here problem was the value of refclickid is getting stored in Set-Cookie:Referral=CLICKID=XXXXXX

And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under <SCRIPT> TAG’s without any sanitizing user input on each and every page.

• Attack Scenario :

1. Attacker Send’s Victim Following URL to Set Refclickid value as XSS Payload in the cookies.

https://redacted.com/mobile-app/?refclickid=%3C%2FScRipt%3E%3CScRipt%3Eprompt(document.domain)%3B%2F%2F.

2. Set-Cookie Value has been Saved with XSS Payload .

3. When Victim Visit’s https://redacted.com/ or Any Page Under Redacted.com without any parameter XSS is Fired because Response of the Body Takes the Value of Stored Cookie and Saves them under <script> Tag’s.