XSS Because of wrong Content-type Header

Hello All,

XSS because of Wrong content type in InternShala.com

Internshala :
Internshala is an internship platform, this website helps students find internships with organisations in India - wiki

While checking this site  I got an endpoint which didn't had CSRF protection.
I can change the user details (name, address,etc) Not email :(

One thing that was weird with that endpoint was that  it was giving  a JSON response
But the content type header was not  : application/javascript

Rather it was set as :  text/html 

I was fiddling with that as I knew if we can inject html then we can get XSS here  :D

But they had filters so it was just HTML Injection -_- that isn't  cool to report 

But there was another parameter  current_city_administrative_area_level_2 
changing its value caused and error  

Lets Build Payload 

Problem no (1)

White space was not allowed  between text and neither  forward slash /    was allowed

so I use + for that :p 
Payload : <h1+onmouseover

Now i was able to inject event handlers :D 

Problem no (2)

Next alert and prompt was blocked :v

But they forgot confirm :D
Payload : <h1+onmouseover=confirm

Problem no (3)

Parentheses/brackets ( )  were blocked :3

so i use backtick ` instead 

Payload : <h1+onmouseover=confirm`1`

Problem  no (4)

we need to end the tag with > but this wasn't allowed -_-
so i use  +%0a for that :v 

Payload : <h1+onmouseover=confirm`1`+%0a>Lol</h1>

Finally it worked ^_^

So keep an eye at the Content-type header when there is  JSON response

My Reaction

My XSS Guru's

Note : This bug is Patched by InternShala Team



Post a Comment

Popular posts from this blog

Exploiting CORS Misconfiguration using XSS

Two Factor Authentication Bypass | SendGrid