[POC] Cross-Site Scripting on Garuda Indonesia Website

Hello, This is my 3rd post about bug bounty. First of all, i want to say thank you to Garuda Indonesia and I’m sorry for my bad english. As we knew, Garuda Indonesia is the Best of the best airline on Indonesia. Ok, lets begin.

1st, im was tying to register new member on https://www.garuda-indonesia.com/

There is a login/register page. Then i clicked register button.

As same as like the others people, i try to register my personal information on the website.

Fill all of personal information and then try to activated my email.

After that, i was trying to complete all of personal information. But wait, as a bug hunter maybe i can do something with this form site. i try to inject my XSS script.

TADAAAAAAAAAAAAAAAAAAAAA, I found that vuln on “update companion form”

XSS
XSS inject script image

That’s It. See Ya………………………………………….

timeline

  • 3/11/2018 (Submit Report)
  • 5/11/2018 (Mitigation Bug)
  • 16/11/2018 (Reward & Bug Closed)

Tools

  • Burpsuite
  • Nmap
  • Wappalyzer