Stored XSS with arbitrary cookie installation

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 23 hours ago · vulnerability
quality 6/10 · good
0 net
AI Summary

A stored XSS vulnerability where unsanitized URL parameters (refclickid) are stored in cookies and later reflected in JSON responses within script tags, allowing arbitrary JavaScript execution on any page visit. The vulnerability relies on the application trusting cookie values without sanitization when inserting them into script contexts.

Tags
stored-xss cookie-injection input-sanitization javascript bug-bounty web-security vulnerability-writeup
Entities
Arbaz Hussain HackerOne
[Stored XSS] with arbitrary cookie installation | by Arbaz Hussain - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original [Stored XSS] with arbitrary cookie installation Severity : Medium Arbaz Hussain Follow ~1 min read · September 17, 2017 (Updated: May 31, 2018) · Free: Yes Severity : Medium Complexity : Easy Weakness : Trusting the cookies values without sanitizing malicious input. While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie's. https://redacted.com/mobile-app/?refclickid=xxxxxxxxxxxxxx Here problem was the value of refclickid is getting stored in Set- Cookie:Referral=CLICKID=XXXXXX And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under