Joan Bono

twitter: @joan_bono
Website: joanbono.github.io
Company: Ackcent

MU

View My GitHub Profile

How I found a known XSS in the UPV

I was surfing across the intercambios.upv.es website, and suddenly, I changed the language from the URL, where I tried to put a really basic XSS injection:

"xd><script>alert(document.cookie);</script>

I was really surprised when an alert box prompts in my browser. So, I decide to make a PoC exploiting this.

I created an HTML page:

And then, I recorded this video:

YouTube Viedo

After that, I sent all the information to the UPV’s IT Security Officer.

More or less, the binnacle was:

So, the answer I got from the UPV’s IT Security Officer was:

In English is something like this:

Dear Joan

Yes, the other day I was surfing on the web and I found this XSS. It’s an easy XSS and it’s very serious.

Steal cookies don’t allow you to hijack an Intranet session, because it checks also the IP.

The person in charge is advised and I hope that tomorrow this will be fixed.

Regards and thanks for the collaboration

I was really happy that I reported this 4 months after found it, and just some days ago this man found it too!

I sent to a friend living out of Spain my cookie, because I want to know how was working this Magic IP checking. He hijacks my session without any problem, but I know this is not a problem to fix, I’m sure that this is a known feature!

Thanks for reading!

Joan Bono