Stored XSS In Red Hat® Subdomain

So one fine day, I came across a Facebook post of a fellow hacker who got placed in the Red Hat Hall of Fame for finding a security bug. And as Red Hat being one of my dream companies, I too decided to jump onto the wagon. And this story talks about how I found a Tricky Stored XSS in one of the Red Hat subdomain.

What is Stored XSS?

So let’s first start with “What is Stored XSS?” and more importantly “What is XSS?”
XSS stands for Cross(X) Site Scripting. In simple words, it allows attackers to execute arbitrary code (more specifically arbitrary JavaScript) because of unsanitized inputs. In more simpler words, in a search bar of a website, if I search for a code rather than a string, it will execute that code.
Stored XSS is when the code injected in input fields is getting stored. So whenever the particular page will be loaded, the code will get executed. Stored XSS is very dangerous of all and can be brutal if spread site-wide.
[ — — — — — — — — — — “Samy is my hero” — — — — — — — — — — — ]

The Subdomain:

So after a bit of recon, I came across a subdomain developers.redhat.com! A portal for cloud training for developers and developer tools.

<img src=xyz
<img src=x onerror=alert(‘TEST’)>

The Sweet XSS:

Now I was just a search away from finalizing the PoC and report. I did the search with the keyword and got the pop-up.

  1. The results will fetch all the blog posts from various sites having that query.
  2. As the contents being shown in the results are not filtered, the script in the content of the blog will get executed.

Mitigation:

Filtering the textual data in your web page is really important. In this case everything was getting filtered. They had filtered out search queries and even the titles of the blog post. But the content, specifically from JBoss Forums, was not being filtered out, which led to the script getting stored in the particular page.

Tech, Finance and Lifestyle.