Reflected XSS ON ASUS.

Thejus Krishnan
Jan 6, 2019 · 1 min read

Hy this is Thejus Krishnan, This article on my recent finding of ASUS Web Application Vulnerability which was affected by cross Site Scripting.

When i was searching for an Asus product, i accidentally found out a sub domain https://press.asus.com.

Url : https://press.asus.com/search?search=, Here i tried XSS.

When i submitted the payload “dvs9c”><script>alert(‘hello’)</script>jnyf0" in the search parameter. BOOM..! i got XSS.

Vulnerable url : https://press.asus.com/search.php?search=Triodvs9c"><script>alert(“hello”)</script>jnyf0

Few Weeks after reporting this issue to Asus Security Team. I got a replay from Asus Team that the issue has been resolved.

Thanks for reading.

Timeline :

DEC 15 Reported the issue.

DEC 17 Responded

DEC 22 Fixed and HOF approved

DEC 28 Listed in HOF

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store