Cross-site Scripting (XSS) - DOM - iqcard.informatica.com

Hello all I found a DOM based XSS at iqcard.informatica.com # Description After finding the path **iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html**. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript *document.location function. search*. The code below illustrates the code contained in the attach.html file ``` <HTML> <HEAD> <SCRIPT> function GetAttach() { var strSearch = document.location.search strSearch = strSearch.substring(1) document.location.replace(strSearch) } </SCRIPT> </HEAD> <BODY onload='GetAttach()'> </BODY> </HTML> ``` As can be seen through the code above, the variable * strSearch * receives everything that comes from the URL after the character? and then insert it into the function *document.location.replace ()*. Through this scenario we have some possibilities. 1 - We can direct the user to any page we want for example: ``` https://iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html?evil.com ``` 2 - We can run a DOM Based XSS, running the javascript schema, blocked: alert (1); ``` https://iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html?blocked:alert(1) ``` # PoC I uploaded a video and an image. ## Impact An attacker can redirect a user to a malicious page or execute XSS attacks against users of the application or use that domain as a phishing vector to attack other users of informatica.com