Reflected XSS on Stack Overflow

This is @newp_th. Today I want to share with you a Reflected XSS which I found in Stack Overflow.

While i was testing some other domain and doing spider activity in burpsuite, I checked issues tab whether any issues were popped up. Suddently i got to know Stack Overflow is vulnerable to XSS (i used reflector extension https://github.com/elkokc/reflector). So i decided to test that domain of Stack Overflow.

Reflector extension:

Burp Suite extension is able to find reflected XSS on page in real-time while browsing on web-site and include some features as:

Highlighting of reflection in the response tab.
Test which symbols is allowed in this reflection.
Analyze of reflection context.
Content-Type whitelist.

When i was going through the Stack Overflow domain, I noticed a vulnerable parameter in Cookie!!, I put a simple payload “></script><img src=x onerror=alert(1)> into the prov parameter.

Request

After cheking the reponse from IE, Got the XSS POPUP!!!!

Note:
Dedicated to my friend Renjith(https://ae.linkedin.com/in/renjith-tc-bb9b40a1), I greatly appreciate the time you’ve taken to share your knowledge with me

HOF on the way!!!!

Timeline
Feb 14th -Report submitted
Feb 19th -Triaged
April 3rd -Fixed