XSS using dynamically generated js file

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · bug-bounty
quality 6/10 · good
0 net
AI Summary

XSS vulnerability in dynamically generated JavaScript file endpoint that accepts unsanitized user input via a callback parameter and lacks proper content-type headers, allowing injection of arbitrary JavaScript code that executes in the context of the target domain.

Tags
xss cross-site-scripting javascript-injection parameter-pollution dynamic-js-generation content-type-sniffing same-origin-policy-bypass ajax-injection burp-suite parameter-discovery
Entities
Arbaz Hussain parameth Hurricane Labs Google Gruyere
Xss using dynamically generated js file | by Arbaz Hussain - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Xss using dynamically generated js file Arbaz Hussain Follow ~2 min read · July 19, 2017 (Updated: May 18, 2018) · Free: Yes Severity : High Complexity: Medium Weakness: Disclosing JS endpoint & not sanitizing User Input — — — — — — — — — — — — — — — — — — — — — — — — — — — — Discovery : While checking Burp Proxy Request's I came across following JavaScript file. https://www.site.com/mvcs/kt/tags/pclntny.js I started brute-forcing for any parameter for JS endpoint and found ?cb= Which Take's the user input and append it to getScript Calling Function Since the Content type is text/plain. So we Need to Find a Way to Render our Input . https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxxxxxxx We know that JS file's doesn't care about SOP & can be access by making cross domain request's , Luckily there was no X-Content-Sniffing Header aswell . Now the Task was to Find Where , https://www.site.com/mvcs/kt/tags/pclntny.js js file is being rendered in HTML/Javascript under https://www.site.com/ I Used Burp Proxy Search Filter option to look for that endpoint . Found that it is used in https://www.site.com/ user/public/apps/tags?val=pcltny.js — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — - Able to Bypass their Cross domain Policy by injecting AJAX Request's Tools: https://github.com/maK-/parameth For checking Parameter's . Reference : https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff https://www.scip.ch/en/?labs.20160414 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion Nice and Little Bounty! #javascript #xss-attack Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories