XSS Because of wrong Content-type Header

Hello All,

XSS because of Wrong content type in InternShala.com


Internshala :
Internshala is an internship platform, this website helps students find internships with organisations in India - wiki

While checking this site  I got an endpoint which didn't had CSRF protection.
I can change the user details (name, address,etc) Not email :(


One thing that was weird with that endpoint was that  it was giving  a JSON response
But the content type header was not  : application/javascript

Rather it was set as :  text/html 



I was fiddling with that as I knew if we can inject html then we can get XSS here  :D


But they had filters so it was just HTML Injection -_- that isn't  cool to report 


But there was another parameter  current_city_administrative_area_level_2 
changing its value caused and error  

Lets Build Payload 


Problem no (1)

White space was not allowed  between text and neither  forward slash /    was allowed

so I use + for that :p 
Payload : <h1+onmouseover

Now i was able to inject event handlers :D 

Problem no (2)

Next alert and prompt was blocked :v

But they forgot confirm :D
Payload : <h1+onmouseover=confirm

Problem no (3)

Parentheses/brackets ( )  were blocked :3

so i use backtick ` instead 

Payload : <h1+onmouseover=confirm`1`

Problem  no (4)

we need to end the tag with > but this wasn't allowed -_-
so i use  +%0a for that :v 

Payload : <h1+onmouseover=confirm`1`+%0a>Lol</h1>



Finally it worked ^_^



So keep an eye at the Content-type header when there is  JSON response

My Reaction




My XSS Guru's
@soaj1664ashar
@brutelogic
@Asystolik


Note : This bug is Patched by InternShala Team


Thanks

Comments

Post a Comment

Popular posts from this blog

Exploiting CORS Misconfiguration using XSS

Image
Hello All, This Post is about how i exploited a Cross Origin Resource Sharing (CORS) Misconfiguration with the help of Cross Site Scripting (XSS) After reporting some bugs to Netgear Kudos program I started getting old private program invites on Bugcrowd One of which was with 300+ researchers and running from 2015 I wasn't happy about that, As i thought  I won't be able to find any thing as the program is running from such a long time and so many others have looked at it before me.  Even if i will get something the chances of that being duplicate is high. But then Osama said this So I finally started looking at it and trying my best to find something, Got one P3  but it went duplicate :( But then I got an endpoint that was having simple CORS misconfiguration and the endpoint was giving user details like email address , age , g ender , DOB , etc in response It was triaged, paid and fix within a week I was happy and was planing ...
Read more

Open Redirect In Flock | My First Swag pack

Image
Hello Every one, This  post is about an Open Redirect that i found in Flock.co back in 2016 So back then, in 2016  I started finding bugs in various sites and all I was getting was duplicate, wont'fix,Thanks and few Hall of Fame  :( One day one of my friend posted about goodies that he has got from Flock So i started looking for bugs on it  Got one reflected XSS that turned out to be a out of scope site :3 And one open redirect that got valid :D That got me my first swag pack :D Wait a sec ? you didn't came here to read my story :v Technical part : This was there login system 1) User enters login credentials 2)  It gets validated 3) They Redirect to dashboard This what the redirect url looked liked https://auth.flock.co/login?auth_token=xyz&platform=BROWSER&redirect_uri=https%3A%2F%2Fflock.co So i changed the redirect_uri parameter value to google.com and it worked ^_^       ...
Read more