What's the Mission?
The target was a Drupal-based CMS where I discovered a Reflected Cross-Site Scripting (XSS) vulnerability due to lack of proper input sanitization, which could potentially lead to impactful exploitation.
Step 1: Initial Recon
While exploring the target, I identified that the application was running on Drupal CMS.
The endpoint looked like this: https://production.adtech.backyard.example.com/okta-rt-errorpage.php?
When accessing the page, I noticed the following warnings:
Step 2: Parameter Discovery
From the warnings, I was able to identify two parameters:
error_codeerror
This is a common case where backend debug messages leak useful information for attackers.
Step 3: Testing for XSS
I started testing the error parameter by injecting input:
https://production.adtech.backyard.example.com/okta-rt-errorpage.php?error=testI noticed that the input was directly reflected in the response, which is a strong indicator of a potential XSS vulnerability.
Next, I tested a basic payload:
<script>alert(1)</script>Used in the URL:
https://production.adtech.backyard.example.com/okta-rt-errorpage.php?error=<script>alert(1)</script>Step 4: Exploitation
After sending the payload…
Boom: the alert was triggered successfully.
This confirmed a Reflected XSS vulnerability due to:
- No input validation
- No output encoding
- Direct reflection of user input into the response
Impact
This vulnerability could allow an attacker to:
- Execute arbitrary JavaScript in the victim's browser
- Steal session cookies
- Perform actions on behalf of authenticated users
- Deliver phishing or malicious payloads
Conclusion
This was a straightforward but impactful vulnerability caused by missing input sanitization and exposed debug messages.
It highlights how even simple misconfigurations can lead to critical client-side attacks.
Thanks for reading, and happy hacking!