Introduction

In this write-up, I will share my journey of discovering a Reflected Cross-Site Scripting (XSS) vulnerability on a subdomain of Ford Motor Company back in September 2021. This vulnerability allowed for the execution of arbitrary JavaScript code in the context of the user's browser, which could lead to cookie theft or session hijacking.

Phase 1: Reconnaissance (The Power of Google Dorks)

On September 13, 2021, I started my research by looking for subdomains that might be overlooked. Using a simple yet effective Google Dork, I was able to narrow down the attack surface:

  • Query: site:ford.com
  • Target Identified: [REDACTED].ford.com

Phase 2: Discovery & Analysis

Upon navigating to the site, I focused on the Search Functionality.

  1. Initial Probe: I submitted a unique string iProgrammer16 into the search field. Using a unique value is a key step to easily identify where and how the input is reflected within the page's HTML source code.
  2. Observing the Reflection: By inspecting the page's source code, I successfully located my unique string reflected within an HTML tag. It was rendered as a value inside the search input attribute: <input type="text" name="search" value="iProgrammer16"> This confirmed the exact reflection point, indicating that any input provided in the search field would be mirrored directly within this specific HTML attribute.
  3. Breaking the Context: After identifying the reflection point, I attempted to break the HTML context by injecting the following payload: ">iProgrammer16. Upon checking the source code again, I saw that the characters " and > were not encoded or filtered. This allowed me to escape the value attribute and close the input tag, proving that the application failed to properly sanitize special characters and was vulnerable to injection.

Phase 3: Proof of Concept (PoC)

After confirming the context break, I executed the following payload to prove the impact:

Payload:

<script>alert("iProgrammer16")</script>
None
Injecting the payload.
None
XSS popup triggered.

The browser executed the script, and the alert box popped up. This confirmed a Reflected XSS vulnerability on the search parameter.

Proof of Concept Video:

The video demonstrates the execution of the script and the appearance of the alert box upon submitting the search query.

A successful XSS attack on this endpoint could allow an attacker to perform:

  • Session Hijacking: Stealing session cookies.
  • Phishing & Defacement: Modifying the page content.
  • Malware Distribution: Prompting users to download malicious files from a trusted source.

Recognition & Appreciation

After the vulnerability was resolved, I was honored to be included in Ford's Hall of Fame as a thank you for my contribution to their security.

None
Being part of such a prestigious list is a great motivation to keep hunting and securing the web!

Timeline & Resolution

September 13, 2021: Report submitted to Ford.

September 16, 2021: Report Triaged (Severity: Medium 5.6)!!!!

January 24, 2024: Vulnerability confirmed as Resolved.!!!

Contact me:

Thank you for reading! If you enjoyed this write-up, feel free to follow for more security research and findings.

By: ItsS4LEH