How I found A Surprising XSS Vulnerability on Oracle NetSuite ?

Circle Ninja
Mar 2, 2018 · 2 min read

I was going around hunting and penetrating websites trying to get a few more bucks to save in my pocket which I later use to pay my college fees when I came across this wonderful vulnerability in Oracle Netsuite.

Most sites actually try to secure the search bar more as they are well aware that it is always the target of attackers for finding reflected xss.

I simply starting using the search bar of netsuite typing simple payloads. That’s when I remembered a type of reflected xss vulnerabilty using access keys. In my case if the victim pressed alt+shift+X , the XSS will fire.

The vulnerable link was something like this — http://search.netsuite.com/socialsearch/query?cc=www&cn=netsuite&attrFilter=xlmav%22accesskey%3d%22x%22onclick%3d%22alert(document.domain)%22%2f%2fwzraf&q=k+hj+jh+j&submit=

Now when the victim recieves the link and does a simple alt+shift+X ; xss gets triggered at search.netsuite.com (WOHOOO!)

The security team was very fast to mitigate the issue and immediately removed the search functionality . The bug was fixed within a week.

But I wonder why they asked me to delete the unlisted video POC ? Were they afraid of bug getting disclosed? God knows! Happy that the issue is resolved now.

We need pudding after dinner;so is the case where we need POC for each bug. So here I am giving the unlisted video POC for all enthusiasts.

PLese don’t forget to clap the story and follow me on twitter. https://twitter.com/CircleNinja

PS- Please comment if you need to become a writer for this publication and I will add you.

Say me HI at circleninja@protonmail.com

THANKS A LOT for stopping by!

Learn bug bounty hunting and other hacking tips from bug…

Circle Ninja

Written by

Bug Bounty Hunting
Circle Ninja

Written by

Wannabe Security JCB | BTech CSE Student from India

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade
A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store