Oracle Cross Site Scripting Vulnerability -Adesh Kolte

Adesh Kolte
Feb 10, 2018 · 2 min read

Author:

Adesh Nandkishor Kolte (An Independent Cyber Security Resercher)

Founder of Toss Consultancy Pvt Ltd

Vulnerable Module:

Oracle Enterprise Performance Management Workspace

Severity Level:

Medium

Vulnerable URL :

https://docs.oracle.com/cd/E17236_01/epm.1112/hpm_user/frameset.htm?

Payload:

javascript:alert(/xss/)

Vulnerable Parameter:

frameset.htm?

Technical Details & Description:

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate
website or web application. XSS is amongst the most rampant of web application
vulnerabilities and occurs when a web application makes use of unvalidated or unencoded
user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would
exploit a vulnerability within a website or web application that the victim would visit, essentially
using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
How Cross-site Scripting works
In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a
way to inject a payload into a web page that the victim visits. Of course, an attacker could use
social engineering techniques to convince a user to visit a vulnerable page with an injected
JavaScript payload.
In order for an XSS attack to take place the vulnerable website needs to directly include user
input in its pages. An attacker can then insert a string that will be used within the web page
and treated as code by the victim’s browser.

How to reproduce this issue?
1. Visit This URL It will alert a xss POPUP

https://docs.oracle.com/cd/E17236_01/epm.1112/hpm_userhttps://docs.oracle.com/cd/E17236_01/epm.1112/hpm_user/frameset.htm?javascript:alert(/xss/)avascript:alert(/xss/)

Proof Of Concept:

Vulnerabilty Status:

Fixed

Hall Of Fame:

Thanks For Reading :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store