Combining DOM and reflected XSS to bypass input sanitation in Checkpoint.com
I was looking around checkpoint.com to see if I could find any low hanging fruits. Checkpoint does not have a bug bounty program, but as a company that does a great job exposing vulnerabilities in others applications, it made me want to check if the camel sees its own hump.
So I started with some google dorking looking for any interesting endpoints. After a few minutes I stumbled upon a page that looked very old fashioned — https://appwiki.checkpoint.com/appwikisdb/public.htm . This is always a good indication when looking for an unsecured web application.
Obviously the first thing that draw my attention was the search bar. I opened Burp Suite and intercepted the request. I ran a random string and saw it was reflected in the value attribute inside an input tag.
After playing around a bit, I found out that besides the parenthesis, the single-quote (‘), semi-colon (;), backtick (`), smaller-greater-than (<>) signs and the word “script” were also sanitized. I tried different payloads but could not find something that would work.
One mistake I made from the start was using the “onload” event inside the input tag. “Onload” is my go-to JS event when searching for XSS, but I was not aware that it will fire only if the input tag has a “type=image” attribute with a valid “src”. So I might have missed some payloads that would have worked. But it only lead to finding a cooler payload eventually.
First I changed the JS event to “onmouseover” which works with the input tag and tested the payload “onmouseover=window.location=navigator.userAgent”. It worked great. As my User-agent was “Mozilla…” I was forwarded to “/appwikisdb/M”.
So I did, and here is the final payload:
The vulnerability was reported and patched by Checkpoint’s Security team within 3 hours.