Reflected XSS ON ASUS.

Hy this is Thejus Krishnan, This article on my recent finding of ASUS Web Application Vulnerability which was affected by cross Site Scripting.

When i was searching for an Asus product, i accidentally found out a sub domain https://press.asus.com.

Url : https://press.asus.com/search?search=, Here i tried XSS.

When i submitted the payload “dvs9c”><script>alert(‘hello’)</script>jnyf0" in the search parameter. BOOM..! i got XSS.

Vulnerable url : https://press.asus.com/search.php?search=Triodvs9c"><script>alert(“hello”)</script>jnyf0

Few Weeks after reporting this issue to Asus Security Team. I got a replay from Asus Team that the issue has been resolved.

Thanks for reading.

Timeline :

DEC 15 Reported the issue.

DEC 17 Responded

DEC 22 Fixed and HOF approved

DEC 28 Listed in HOF