Reflective Cross-site scripting (rXSS)
Severity: High Discovered: 10 of October-2022, 11:11 PM
CWE ID
CWE-79
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
This vulnerability was found in the Query by changing the value of the parameter "".
The value ''"}}]]
' was injected, which caused the target to execute an alert function with the value 336728, which verified that the JavaScript injection was successful.
Possible exposure
Abusing Reflective XSS might allow an attacker to inject a malicious payload and steal cookie sessions and other sensitive data or to manipulate a user's integration with the application.
Remediation suggestions
To remedy this vulnerability, a proper input validation and sanitization should be applied to the "" parameter.
The best course of action is not to blacklist or disallow specific characters, but instead to verify that the input has the relevant types and structure.
For example, the value of the above parameter is detected as type: MultiParse::DataType::String. A good start is to verify that it is not a different type of data structure.
Another good approach is to validate that integer fields accept only integers, text fields only accept alphabetical characters (if possible) and types (such as JSON or other formatted objects) are verified and parsed before being digested and reflected back to the user.
Request
GET https://brokencrystals.com/api/testimonials/count?query=%27%22%7D%7D%5D%5D%3Cdiv+OnCliCk%3Dalert%28336728%29%3E%3C%2Fdiv%3E HTTP/1.1
Accept: application/json, text/plain, */*
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept-Encoding: identity
Content-Length: 0
Response
HTTP/1.1 200
Connection: keep-alive
Content-Length: 121
Content-Type: text/html
Date: Mon, 10 Oct 2022 23:11:11 GMT
Server: nginx/1.19.8
access-control-allow-origin: *
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval'
strict-transport-security: max-age=0
vary: Origin
x-content-type-options: 1
x-xss-protection: 0
set-cookie: bc-calls-counter=1665443471281
'"}}]]<div OnCliCk=alert(336728)></div> - unterminated quoted string at or near "'"}}]]<div OnCliCk=alert(336728)></div>"
Screenshots

External links
Reflective Cross-site scripting (rXSS)
Severity:
HighDiscovered:10 of October-2022, 11:11 PMCWE ID
CWE-79
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
This vulnerability was found in the Query by changing the value of the parameter "".
' was injected, which caused the target to execute an alert function with the value 336728, which verified that the JavaScript injection was successful.The value ''"}}]]
Possible exposure
Abusing Reflective XSS might allow an attacker to inject a malicious payload and steal cookie sessions and other sensitive data or to manipulate a user's integration with the application.
Remediation suggestions
To remedy this vulnerability, a proper input validation and sanitization should be applied to the "" parameter.
The best course of action is not to blacklist or disallow specific characters, but instead to verify that the input has the relevant types and structure.
For example, the value of the above parameter is detected as type: MultiParse::DataType::String. A good start is to verify that it is not a different type of data structure.
Another good approach is to validate that integer fields accept only integers, text fields only accept alphabetical characters (if possible) and types (such as JSON or other formatted objects) are verified and parsed before being digested and reflected back to the user.
Request
Response
Screenshots
External links