Vulnerability Summary
A critical Reflected Cross-Site Scripting (XSS) vulnerability was discovered in a captive WiFi portal, allowing an unauthenticated attacker to steal the credentials of any user connecting via a malicious URL.
A critical Reflected Cross-Site Scripting (XSS) vulnerability was discovered in a captive WiFi portal, allowing an unauthenticated attacker to steal the credentials of any user connecting via a malicious URL. The portal reflects a URL tracking parameter (the device identifier) directly into a hidden <input> field during the authentication response, without applying any HTML encoding or sanitization. When the victim submits their login credentials, the injected <script> tag executes within the context of the trusted portal domain—before the page's own auto-submit mechanism can react—allowing the attacker to silently redirect the credentials to an arbitrary server.
The initial endpoint GET /auth/portalMenu stores the device_id URL parameter in the local HTTP session. When the victim enters their details and clicks login, the request is sent to the POST /auth/VerifyCredentials endpoint. This server-generated response embeds the previously saved session value inside an <input value="..."> attribute without encoding dangerous characters such as ", <, or >. This allows an attribute breakout and, consequently, the injection of JavaScript code for immediate execution.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In