XSS on Nokia

Affected Endpoint: https://qa-online.networks.nokia.com/entry/open/DoUp?action=login&TARGET= Payload: "accesskey="X"onclick="alert(1)"UserTarget= Full URL: https://qa-online.networks.nokia.com/entry/open/DoUp?action=login&TARGET="accesskey="X"onclick="alert(1)"UserTarget=

Description

As we are testing the attack surface we come across the following URL, where it has two parameters the action and UserTarget, after that the page redirect us to another URL.

The new page takes the values of the previously mentioned parameters action and UserTarget and combines them into another variable called TARGET, and these values are reflected in the response of the page.

Now if we try to inject any payload inside the TARGET parameter, the payload is stored inside the User Target parameter in the response but are filtered very well, so by default, any value inserted in the TARGET parameter are stored inside the UserTarget and filtered very well, but what if we inject the payload inside the action parameter inside the TARGET parameter!

Now comes the fun part, the TARGET parameter takes inside it two other parameters which are the action parameter and the UserTarget parameter that came from the previous URL, and here is the problem, there are two parameters passed to the TARGET parameter one of them are filtered which is the UserTarget and the other one is not filtered which is the action parameter.

Or to be specific the action parameter filters the > character but not filters the double-quote character, so we have to limit ourselves with the double-quote because the > character is filtered so we can't close the tag and write another tag, we are limited inside the input tag only.

Now we can inject any payload we want inside the action parameter inside the TARGET parameter, but there is one problem to exploit this XSS, XSS in hidden inputs is frequently very difficult to exploit because typical JavaScript events like onmouseover, onclick, and onfocus can't be triggered due to the element being invisible.

After searching for some time we found a way to exploit this vulnerability at the following link https://portswigger.net/research/xss-in-hidden-input-fields.

Now we have the ability to run any malicious payload in the user context.

Now we can clean the payload a little bit and remove any unnecessary parameters or characters so the final payload becomes like the following.

And here we go, the payload will trigger on Firefox with this shortcut ALT+SHIFT+X.

Final Words

• Take note of any parameters inside parameters (array of parameters) like the following: TARGET=http://bla.com?action=bla&UserTarget=bla and test everything.

• Take note of which parameters are filtered and which characters inside these parameters are also filtered.

• Take note that the hidden input field can be exploited inside the same tag.