XSS Weekend

Last weekend I was playing with 1188.mk, an online white pages directory aimed at people in Macedonia.
The goal was to bypass the captcha, and get another tool in my automated OSINT tools collection.
The captcha bypass mission failed, but I found xss on 1188 and 3 other websites from the same company (Itea Solutions).

1188.mk

Summary

The “search” parameter is vulnerable to xss attacks.
In the expected site usage, this parameter is send in POST request, but for some reason the parameter can also be provided via query string.
The trigger is onmouseenter event on the search input.

URL
1
http://1188.com.mk/?search=Mouse goes here %22 onmouseenter=%22alert(%27RandomAdversary%27)
Proof of concept

1188.mk XSS

Healthgrouper

Summary

The “searchterm” parameter is vulnerable to xss attacks.
The trigger is onmouseenter event on the search input.
Not optimal, but the goal was to prove that xss exists, not to create exploitable scenario.

URL
1
http://healthgrouper.com/en/search?searchterm= input vulnerable to xss%22%20onmouseenter=%22confirm(%27RandomAdversary%27)
Proof of concept

HealthgrouperXSS

set2explore

Summary

The “textsearch” parameter is vulnerable to xss attacks.
The trigger is onmouseenter event on the search input, but it’s also triggered on the name and logo column from the search results table.

URL
1
http://set2explore.com/en/fair?textsearch=Mouse goes here%22onmouseenter=%22alert(%27RandomAdversary%27)
Proof of concept

set2explore XSS

MarketKonekt

Summary

The “searchtext” parameter is vulnerable to xss attacks.
The trigger is onmouseenter event on the search input.

URL
1
http://marketkonekt.com/makedonija/search?page=0&searchtext=mouse goes here%22 onmouseenter=%22alert(%27RandomAdversary%27)
Proof of concept

MarketKonekt XSS

Conclusion

I was surprised xss bug with this level of difficulty on a live website. It took about 2 hours to find and verify the bugs, along with a lot of facepalm moments.

Timeline

18 June, 2017 - Vulnerabilities reported via Open Bug Bounty
19 June, 2017 - set2explore and healthgrouper have been accepted under Open Bug Bounty reporting methodology.
26 June, 2017 - Vulnerability details for set2explore and healthgrouper are publicly disclosed.
26 June, 2017 - The rest of the vulnerabilities are reported again via Open Bug Bounty, this time under the full disclosure methodology.
26 June, 2017 - Vulnerability details for 1188 publicly disclosed.
28 June, 2017 - Vulnerability details for MarketKonekt are publicly disclosed.