XSS Because of wrong Content-type Header

Hello All,

XSS because of Wrong content type in InternShala.com


Internshala :
Internshala is an internship platform, this website helps students find internships with organisations in India - wiki

While checking this site  I got an endpoint which didn't had CSRF protection.
I can change the user details (name, address,etc) Not email :(


One thing that was weird with that endpoint was that  it was giving  a JSON response
But the content type header was not  : application/javascript

Rather it was set as :  text/html 



I was fiddling with that as I knew if we can inject html then we can get XSS here  :D


But they had filters so it was just HTML Injection -_- that isn't  cool to report 


But there was another parameter  current_city_administrative_area_level_2 
changing its value caused and error  

Lets Build Payload 


Problem no (1)

White space was not allowed  between text and neither  forward slash /    was allowed

so I use + for that :p 
Payload : <h1+onmouseover

Now i was able to inject event handlers :D 

Problem no (2)

Next alert and prompt was blocked :v

But they forgot confirm :D
Payload : <h1+onmouseover=confirm

Problem no (3)

Parentheses/brackets ( )  were blocked :3

so i use backtick ` instead 

Payload : <h1+onmouseover=confirm`1`

Problem  no (4)

we need to end the tag with > but this wasn't allowed -_-
so i use  +%0a for that :v 

Payload : <h1+onmouseover=confirm`1`+%0a>Lol</h1>



Finally it worked ^_^



So keep an eye at the Content-type header when there is  JSON response

My Reaction




My XSS Guru's
@soaj1664ashar
@brutelogic
@Asystolik


Note : This bug is Patched by InternShala Team


Thanks

Comments

Post a Comment

Popular posts from this blog

Exploiting CORS Misconfiguration using XSS

Two Factor Authentication Bypass | SendGrid