Category: CAPEC-86

CVE-2017-14620, Stored DOM XSS, SmarterStats V11.3.6347

CVE-2017-14620 SmarterStats V11.3.6347 Renders the Referer Version Identification TL;DR SmarterStats Version 11.3.6347, and possibly prior versions, will Render the Referer Field of HTTP Logfiles in URL /Data/Reports/ReferringURLsWithQueries Reporter David Hoyt | XSS.Cx Commentary This Vulnerability was identified back in 2010 when I Reported other Stored XSS Bugs to SmarterTools. Stored XSS is a powerful exploit […]

DOM XSS, location.hash, Stored XSS, Same Origin Policy, CoTS Scanners

Dear – Your CSP doesn’t report Stored XSS, its inside SOP. You append my location.hash to your Document and Save the URL in Dash. #DOMXSS TL;DR DOM XSS testing via location.hash is hard to Automate; Get a Bug Bounty or Publish a CVD XSS – Cross Site Scripting 101 DOM XSS begins at window.location.hash ‘#’ […]

AngularJS, XSS, NG-XSS, Coverage Envelope Expansion, Javascript Injection, PoC

AngularJS suffers from XSS {NG-XSS} TL;DR AngularJS is another broken Javascript Framework Portswigger recently released V.1.6.36 which contained an update for AngularJS Injection. A Blog Post by Portswigger Developer Gareth Hayes is available here detailing the identification and confirmation of AngularJS XSS (NG-XSS). Reviewing the Post by Gaz, its obvious that he’s proved a method to Identify […]

XSS, arc.help.yahoo.com, Captcha Form, CWE-79, CAPEC-86, Cross Site Scripting, Resolved

XSS in arc.help.yahoo.com at captchaView parameter URL https://arc.help.yahoo.com/arc/arc.php “Please use this form to report the error you are experiencing.” The Form once contained a Captcha Form to prevent Bots and Spam from Submitting the Form. The Form was submitted with a POST containing the XSS in the captchaView Parameter using a Double-URL encoded expression.. POST..&captchaView=visual%2522%253balert%25281%2529%252f%252f…In […]

XSS, homes.yahoo.net, Cross Site Scripting, Javascript Injection, CWE-79, CAPEC-86, PoC, Resolved

PoC Summary The Mortgage Calculator in homes.yahoo.net was vulnerable to Reflected Cross Site Scripting (RXSS) in multiple parameters. Reported to Y! Security in October 2013 and more recently resolved, this PoC was outside the Scope of the Y! Bug Bounty Program.  Y! Bug Bounty Scope XSS in homes.yahoo.net The domains and properties below are in […]

Stored DOM XSS, www.ebay.com, Search Breadcrumb, Javascript Injection, Cookie Sink, Resolved

Stored DOM XSS in eBay Search Bread Crumb PoC Summary Stored XSS in www.ebay.com at Search Breadcrumb using multiple Parameters & Cookie Sinks via URL to evade XSS Neutering Routines.  Stored XSS in www.ebay.com at Search Breadcrumb Description The Search Breadcrumb in www.ebay.com is dynamically generated based on User Navigation. The Search Terms, Search Breadcrumb […]

linkedin.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: XSS in trk parmeter of www.linkedin.com as an authenticated user. Reported to security@linkedin.com on June 11, 2013 and resolved today, August 18, 2013. PoC URLhttp://www.linkedin.com/today/?trk=today_home_top_today_control</script><script>alert(1)</script>MATCH ON:fs.config({“failureRedirect”:”http://www.linkedin.com/nhome/”,”xhrHeaders”:{“X-FS-Origin-Request”:”/today/?trk=today_home_top_today_control</script><script>alert(1)</script>”,”X-FS-Page-Id”:”pulse-top-news”}});REQUIRED: Logged In User XSS in linkedin.com Commentary: LinkedIn has a Vulnerability  Rewards Program which results in sending a T-Shirt, which is ridiculous. Instead, its suggested that Linked In […]

redhat.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: Search Query XSS in www.redhat.com Reported a while back and fixed more recently. Does your Site have a Search Box? Test for XSS.Does your Site use Omniture Tracking Code? Test for XSS. Once upon a time, www.redhat.com had Search Form XSS in the q Param due to the “old and vulnerable Omniture Code” that allowed […]