Discovered Reflected Cross-Site Scripting Vulnerable into Shaadi.com

I have discovered a Reflected XSS vulnerability in shaadi.com, it means that an attacker can inject malicious code into the website, which will then be executed by the victim’s browser when they visit the affected page. This can happen through a form, or in any other input field in the website that is not properly sanitized or validated.

What is Reflected in Cross-site Scripting?

In Reflected Cross-site Scripting (XSS), the malicious code is sent to the server as part of a request and is then reflected back to the user in the response. This can happen when user input is not properly sanitized or validated by the server before it is included in the response. The malicious code is then executed by the victim’s browser when they view the affected page. Reflected XSS is different from Stored XSS, where the malicious code is stored on the server and served to all users who view the affected page, rather than being injected into the page via a request. Reflected XSS is also different from DOM-based XSS, where the vulnerability is in client-side code, rather than server-side code, and the malicious script can be executed as soon as the page loads. It is important to note that both types of XSS can be used to steal sensitive information, such as login credentials or personal data, or to perform other malicious actions on the victim’s behalf.

Why actually it happened?

There are three reasons that’s why it happened…

Jquery Library 1.4.2 is outdated and lastest is 3.6.1

2. Missing Header X-Xss-Prototection

3. Parameter doesn’t santize properly.

Now the Real Problem is when I send any submit form then it’ll be a POST Method and this POST Method is marked as Self-Xss(Cross-site Scripting).

What is Self-Xss(Cross-site Scripting)?

Self-XSS is a type of Cross-Site Scripting (XSS) vulnerability where an attacker tricks a victim into executing malicious code in their own web browser. This is typically done by getting the victim to paste or type malicious code into their browser’s developer console or URL bar. The attack is considered “self” because the victim is the one who inadvertently executes the malicious code. This type of vulnerability is often used in phishing or social engineering attacks, where the attacker disguises the malicious code as something harmless in order to trick the victim into running it.

Now I have to excute my JavaScript into GET method. So, first of all I need to know the parameter name.

How can we understand the parameters name?

Do Right click upon any input field.

2. Now look at the id value is name.

Now here you can see how it’s work…

{Burp View}

{Browser View}

This is how I’m able to get each and every parameters name, partner_name, email, partner_email and description.

Impact:

Reflected Cross-Site Scripting (XSS) is a type of web security vulnerability that allows an attacker to inject malicious code into a web page viewed by other users. This can allow the attacker to steal sensitive information, such as login credentials or personal data, or to perform actions on behalf of the victim, such as making unauthorized purchases or posting malicious content. The impact of a reflected XSS attack can be severe, as it can potentially affect all users who view the affected web page and can lead to a loss of trust in the website or online service.

Mitigation:

Input validation: Ensure that user input is properly validated to prevent the injection of malicious code. This can be done by using a whitelist of allowed characters, or by using a library or framework that automatically escapes special characters.Output encoding: Properly encode any user-supplied data before displaying it on a web page. This can prevent the injected code from being executed by the browser.Content Security Policy (CSP): Use a CSP header to specify which sources of content are allowed to be loaded by the browser. This can prevent malicious code from being executed if it is included in a script or iframe element.Use of Http-only and Secure cookies: Use the HttpOnly and Secure flags on cookies to prevent them from being accessed by malicious scripts.Keep software up-to-date: Keep the software used on the website (web server, frameworks, etc.) up-to-date to take advantage of any security fixes that have been released.Use of security testing tools: Use security testing tools like OWASP ZAP, Nessus, Burp Suite etc. to check and scan the website for vulnerabilities.Security awareness training: Provide security awareness training to all employees and developers who work with the website to ensure they understand the risks associated with XSS attacks and how to prevent them.

Here as you can see that Reflected Cross site scripting vulnerability is marked as Out-of-Scope.

Thanks Guys for reading my write-up…