[Stored XSS] with arbitrary cookie installation
- Severity : Medium
- Complexity : Easy
- Weakness : Trusting the cookies values without sanitizing malicious input.
- While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie’s.
- Here problem was the value of refclickid is getting stored in Set-Cookie:Referral=CLICKID=XXXXXX
And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under <SCRIPT> TAG’s without any sanitizing user input on each and every page.
- Attack Scenario :
- Attacker Send’s Victim Following URL to Set Refclickid value as XSS Payload in the cookies.
2. Set-Cookie Value has been Saved with XSS Payload .
3. When Victim Visit’s https://redacted.com/ or Any Page Under Redacted.com without any parameter XSS is Fired because Response of the Body Takes the Value of Stored Cookie and Saves them under <script> Tag’s.