DEV Community

Cover image for Reflected XSS by jsonp on subdomain
Khaled Nassar
Khaled Nassar

Posted on

Reflected XSS by jsonp on subdomain

hi :D
this my write up about my bug I've found on, first I get URLs from on by using waybackurls tool and I got this URL
this endpoint include XML file via rssurl parameter and covert the content from XML to jsonp

but in headers, content-type: text/html, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website
and add the link of the file in rssurl parameter

                <something:script xmlns:something="">alert(1)</something:script>
                <a:script xmlns:a="">alert(2)</a:script>
                    <value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value>
Enter fullscreen mode Exit fullscreen mode

Done :D

Top comments (0)