How I found A Surprising XSS Vulnerability on Oracle NetSuite ?

Circle Ninja
Mar 2, 2018 · 2 min read

I was going around hunting and penetrating websites trying to get a few more bucks to save in my pocket which I later use to pay my college fees when I came across this wonderful vulnerability in Oracle Netsuite.

Most sites actually try to secure the search bar more as they are well aware that it is always the target of attackers for finding reflected xss.

I simply starting using the search bar of netsuite typing simple payloads. That’s when I remembered a type of reflected xss vulnerabilty using access keys. In my case if the victim pressed alt+shift+X , the XSS will fire.

The vulnerable link was something like this — http://search.netsuite.com/socialsearch/query?cc=www&cn=netsuite&attrFilter=xlmav%22accesskey%3d%22x%22onclick%3d%22alert(document.domain)%22%2f%2fwzraf&q=k+hj+jh+j&submit=

Now when the victim recieves the link and does a simple alt+shift+X ; xss gets triggered at search.netsuite.com (WOHOOO!)

The security team was very fast to mitigate the issue and immediately removed the search functionality . The bug was fixed within a week.

But I wonder why they asked me to delete the unlisted video POC ? Were they afraid of bug getting disclosed? God knows! Happy that the issue is resolved now.

We need pudding after dinner;so is the case where we need POC for each bug. So here I am giving the unlisted video POC for all enthusiasts.

PLese don’t forget to clap the story and follow me on twitter. https://twitter.com/CircleNinja

PS- Please comment if you need to become a writer for this publication and I will add you.

Say me HI at circleninja@protonmail.com

THANKS A LOT for stopping by!

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Circle Ninja

Written by

Software Security Engineer| CyberPunk

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store