Thursday, June 13, 2013 XSS vulnerability

I found that is possible to conduct a XSS attack on career site on by manipulating the URL and injecting Javascript. That way when the user clicked on the link "Apply" - to a job - it will launch the attack.

This could be used to trick innocent users applying to a job on a big company ( customers). When they're clicking on the Apply they could been victims of, for example, redirections to malware sites or drive by downloads.

Proof of concept:';alert("xss by @dsopas");//&rps=186&ep=

Keep in mind that have many important clients like Accenture, KPMG, DHL, ŠKODA AUTO, Telefónica, T-Mobile, BOSCH Group, GE Money, Vodafone, Ernst & Young, SIEMENS, Avast and many others.

I would like to thank the security team for keeping me updated and providing a solution to this issue very fast. It's always glad to see companies that care about security and appreciate help from outsiders.

23 Apr 2013: Reported to
24 Apr 2013: First contact with technical support
25 Apr 2013: Update from security team
13 May 2013: Patched
13 Jun 2013: Full disclosure

No comments:

Post a Comment