Image for post
Image for post
Proof of concept

Reflected XSS at Philips.com

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Image for post
Image for post
Winning the award for the eleventh year in a row
Image for post
Image for post
Add philips to the target scope, use .* as a joker to capture every philips hostname
Image for post
Image for post
Example of a site map, you may send a request to the repeater to test it for XSS
Image for post
Image for post
OWASP XSS Prevention cheat sheet, Rule #1: escape everything.
Image for post
Image for post
Example of a properly escaped variable used in the response.
Image for post
Image for post
Adobe Experience Manager wins the battle.
Image for post
Image for post
Code that refers to adobedtm.com
Image for post
Image for post
Adobe DTM is part of Adobe Experience Cloud, Adobe Experience Manager is the CMS.
Image for post
Image for post
The first hit.
Image for post
Image for post
A debug parameter exists, it outputs the ‘layout information’ of components. Thanks Feike for sharing!
Image for post
Image for post
This parameter does exists in the official documentation, they recommend to disable it in production.
Image for post
Image for post
Adobe even provided a AEM pen testing cheatsheet for us, thanks again!
Image for post
Image for post
Woops, they forgot to disable the debug mode.
Image for post
Image for post
The URL is being parsed in the page, the URL path is not escaped so we are able to inject HTML!
Image for post
Image for post
Mmm. Some WAF is blocking our request.
Image for post
Image for post
Output of WhatWaf if we check www.Philips.com
Image for post
Image for post
Just run jQuery.fn.jquery in the console. jQuery is loaded if you see a version number.
Image for post
Image for post
Visitor details stored by Janrain in the localstorage
Image for post
Image for post
Image for post
Image for post
Example of the bypass on lightning.philips.com
  • The WAF may be improved to disable any the HTML tags in the url or onevent strings, however blacklisting is never a good solution; we will always find a new payload that bypasses the blacklist.
  • Attack the browser of visitors through injection of a framework like beefproject.com
  • Setting up a phishing login
Image for post
Image for post
A mention in the Hall of Honors of Philips :-)

Written by

Medical doctor / Web developer / Security researcher - https://Protozoan.nl

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store