[Stored XSS] with arbitrary cookie installation

Arbaz Hussain
Sep 17, 2017 · 1 min read

  • Severity : Medium
  • Complexity : Easy
  • Weakness : Trusting the cookies values without sanitizing malicious input.

  • While Testing one of the Hackerone Program , the value of the Parameter refclickid from url was getting stored in response cookie’s.
https://redacted.com/mobile-app/?refclickid=xxxxxxxxxxxxxx
Image for post
  • Here problem was the value of refclickid is getting stored in Set-Cookie:Referral=CLICKID=XXXXXX

And Application was storing the same Reference Click ID taking from cookie value to Response of the Body in JSON format under <SCRIPT> TAG’s without any sanitizing user input on each and every page.


  • Attack Scenario :
  1. Attacker Send’s Victim Following URL to Set Refclickid value as XSS Payload in the cookies.
https://redacted.com/mobile-app/?refclickid=%3C%2FScRipt%3E%3CScRipt%3Eprompt(document.domain)%3B%2F%2F.

2. Set-Cookie Value has been Saved with XSS Payload .

3. When Victim Visit’s https://redacted.com/ or Any Page Under Redacted.com without any parameter XSS is Fired because Response of the Body Takes the Value of Stored Cookie and Saves them under <script> Tag’s.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store