Xss using dynamically generated js file

Severity : High

Complexity: Medium

Weakness: Disclosing JS endpoint & not sanitizing User Input

— — — — — — — — — — — — — — — — — — — — — — — — — — — —

Discovery :

  • While checking Burp Proxy Request’s I came across following JavaScript file.

https://www.site.com/mvcs/kt/tags/pclntny.js

  • I started brute-forcing for any parameter for JS endpoint and found ?cb=
  • Which Take’s the user input and append it to getScript Calling Function Since the Content type is text/plain. So we Need to Find a Way to Render our Input .

https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxxxxxxx

  • We know that JS file’s doesn’t care about SOP & can be access by making cross domain request’s , Luckily there was no X-Content-Sniffing Header aswell .

Now the Task was to Find Where , https://www.site.com/mvcs/kt/tags/pclntny.js js file is being rendered in HTML/Javascript under https://www.site.com/

  • I Used Burp Proxy Search Filter option to look for that endpoint .

Found that it is used in https://www.site.com/user/public/apps/tags?val=pcltny.js

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Exploitation :

  • Simple POC :

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

  • Able to Bypass their Cross domain Policy by injecting AJAX Request’s

Tools: https://github.com/maK-/parameth For checking Parameter’s .

Reference :

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store