DOM XSS on app.starbucks.com via ReturnUrl
Medium
S
Starbucks
Submitted None
Team Summary
Official summary from Starbucks
gamer7112 discovered a DOM reflected cross-site scripting vulnerability on app.starbucks.com due to a hex character bypass/blank injections of the ReturnUrl parameter. @gamer7112 — thank you for reporting this vulnerability.
Actions:
Reported by
gamer7112
Vulnerability Details
Technical details and impact analysis
**Summary:** XSS Can be achieved via the ReturnUrl when signing in on app.starbucks.com
**Platform(s) Affected:** app.starbucks.com
## Steps To Reproduce:
1. Visit https://app.starbucks.com/account/signin?ReturnUrl=%09Jav%09ascript:alert(document.domain)
2. Sign in
## Supporting Material/References:
{F461364}
## How can the system be exploited with this bug?
XSS could be used to steal the account of any victim that signs in via the url.
## How did you come across this bug ?
Retesting report #438240
## Recommendations for fix
Improve the checks on ReturnUrl such as not allowing hex characters 00-1F
## Impact
As with any xss, it could be used to steal the cookies of the victim to gain access to their account.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - DOM