Reflected XSS in Realgm.
A little back story to why I was “hunting” this website in the first place.
I like sports and and I enjoy playing them as well. I mainly play Basketball, Soccer and Football (AMERICAN FOOTBALL — Cough U.K. People!).
We all also know Fantasy Football is in progress too, and lots of gambling is taking place at this very moment. So I went to one of my favorite sports website which is Realgm.
I was browsing around and I was thinking to myself — “I wonder if this website is secured and I wonder if everyone on this website is secured as well.”
Turns out they are not. 😒
Let’s start to and explain how I found the chain of XSS in the first place.
Steps to reproduce the XSS —
I first did a subdomain scan on Realgm and the list went on for days (exaggeration). I didn’t come across anything useful or useless, just a bunch of domains which weren’t much to go off of.
The tool used for the subdomain scanning — Sublist3r. This is one of my favorite subdomain scanning tool and I always use it since it doesn’t fail on me. I would highly recommend it for Bounty Hunters (Security Researchers).
During my scan, I came across a domain which was weird to me.
This is the domain: https://clippers-scouting.realgm.com/login.phtml?redirect=
So the first thing I did was input a XSS payload in the URL:
Payload(s) and parameter value: “><svg/onload=alert(1)>
I also came across more domains that were similar to it.
- https://hawks-scouting.realgm.com/login.phtml?redirect=/- https://knicks-scouting.realgm.com/login.phtml?redirect=/- https://knicks-scouting.realgm.com/login.phtml?redirect=/- https://nuggets-scouting.realgm.com/login.phtml?redirect=/- https://pacers-scouting.realgm.com/login.phtml?redirect=/- https://pelicans-scouting.realgm.com/login.phtml?redirect=/- https://pistons-scouting.realgm.com/login.phtml?redirect=/- https://wizards-scouting.realgm.com/login.phtml?redirect=/
Impact for this:
This allows an attacker to inject custom Javascript codes that can be used to steal information from Realgm’s user base and lure them to malicious websites on the internet on behalf of Realgm’s website.
Contact:
So the first thing I did was try to reach out to their Support Team, their Forum Administrator(s) and their whole site Support Team.
I also have tried to contact them more than once and sent multiple reports and emails to them and they have NOT answered me.
Which is very unfortunate.
Dates that I contacted them on:
-August 2nd, 2018.
-August 20th, 2018.
-August 30th, 2018
-September 1st, 2018.
The result and outcome of this has forced me to leave this site as I can see that the Administrators are not willing to answer their emails or even put an effort into fixing this.
This post is NOT meant to do anything harmful to the website. I am just a Security Researcher who is trying to help secure your website — other websites as well.
I hope you see this post and fix your issue very soon and secure your users.
If you have any questions or comments, feel free to message me on Twitter @Skeletorkeys
In regards to this tweet: https://twitter.com/Skeletorkeys/status/1037545324544516096
Thanks for reading.
