Vulnerability Summary
Collab with Tonysec https://academy.logicalbreach.com/authors/tonysec
The error page of a central Single Sign-On origin ([REDACTED-SSO]) reads a retryUrl query parameter, stores it verbatim in the SPA's component state, and passes it — with no scheme validation — to window.location.replace() when the victim clicks the page's visible "Try again" call-to-action.
Supplying retryUrl=javascript:name causes the browser to evaluate window.name as JavaScript in the SSO origin. The edge WAF blocks naive javascript:alert(...) payloads, but javascript:name is a bare identifier that passes every rule — and the actual HTML payload is never sent through the WAF at all, because it's smuggled in via window.name, which is seeded by the attacker's anchor target attribute.
Result: arbitrary JavaScript execution on the SSO origin that federates many downstream properties (including online banking). The page's CSP sandbox omits allow-modals, so only dialog APIs (alert/confirm/prompt) are suppressed — DOM takeover, credentialed fetch/XHR, document.cookie (non-HttpOnly), localStorage/sessionStorage, and postMessage are all fully available.
[REDACTED-SSO] — central SSO / identity origin (primary)
pyus3rA DOM-based XSS vulnerability was discovered affecting multiple endpoints within a financial institution's web application. The target_route parameter was being processed client-side without proper validation or sanitization. This flaw allowed an attacker to execute arbitrary JavaScript code by utilizing the javascript: URI scheme.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3608199 by xavlimsg
heroxo9868Poor HTML sanitization combined with a file upload feature led to a stored XSS that allowed administrator accounts to be compromised.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In