Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:
&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/
https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
Here is my POC i sent in to Paypal : hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik
Interested
I have been working in Security in the UK for 10 years. I have only started to get a bit grumpy about security in general, however after reading this piece it has helped changed my attitude a bit. Time for a project methinks 🙂
I think you could get XSS via “&q=payload” because of HPP ( HTTP Parameter Pollution) .
First “q” parameter value was getting filtered while second “q” parameter value was being used for generating output 😀