Aug 29, 2018

Reflected XSS in Django REST Framework Api at MapBox Subdomain

Advertisement







Reflected XSS in  
Django REST framework API at
 MapBox Subdomain 


Bounty : 500 $
Program : Mapbox
subdomain : osmcha.mapbox.com

******************************************************************

While I was testing osmcha.mapbox.com 
I've found that Django REST framework API is Available for all Users 
( i don't mean admin panel I mean the normal paths )

So I start testing this /changesets/ path 
but i admit its hard to find a bug in Django Api
https://osmcha.mapbox.com/api/v1/changesets/


I notice that there is some Parameters 
https://osmcha.mapbox.com/api/v1/changesets/?page=1&page_size=75&date__gte=2017-07-01

so i Started to test it 
The affected Parameter was date__gte=
its accept any payload to make XSS 

Poc was 
https://osmcha.mapbox.com/api/v1/changesets/?date__gte=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(1)%3C/scRipt%3E&format=json&page=2&page_size=75


**********************************************


Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

2 comments: