XSS @ store.steampowered.com via agecheck path name
State Resolved (Closed)
Disclosed publicly 2019-01-07T20:11:49.328Z
Reported To
Weakness Cross-site Scripting (XSS) - Reflected
Bounty $750
Collapse


Timeline
submitted a report to Valve .
2018-09-07T09:15:52.056Z

Hi,

I found a Cross-Site Scripting (XSS) in store.steampowered.com because the path after /agecheck/ is not sanitized as it should.

https://store.steampowered.com/agecheck/appmhuh2',{ sessionid: g_sessionID, ageDay: '', ageMonth: '', ageYear: '' } ).done( function( response ) { }%20 );}alert`XSS-by-TvM`;function x(){$J.post('mr2n2/247660/

Open this^ link, and XSS will be executed! Tested on FF 61.0.2

Looking forward!

Best regards,
Pedro

Impact

A cross-site scripting vulnerability allows an attacker to modify the page. The attacker can inject forms to steal usernames, passwords, cookies,etc. In short, XSS opens the doors to plenty of phishing techniques.

Regards,
Frans

tescoramen Activities::Comment
2018-09-09T02:17:44.349Z
Hey @tvmpt, thanks for the report, I'm looking into it now.


tescoramen Activities::ReportSeverityUpdated
2018-09-09T02:18:48.682Z


tescoramen Activities::BugTriaged
2018-09-09T02:18:50.560Z
Thank you for your submission! Your report has been validated, and it has been submitted to the appropriate remediation team for review. They will let the HackerOne triage team know the final ruling on this report, and if/when a fix will be implemented. The HackerOne triage team will follow-up after the remediation team has assessed the impact of this report. Please note that the status and severity are subject to change.


tescoramen Activities::Comment
2018-09-09T02:20:42.611Z
#


Activities::BountyAwarded
2018-09-19T21:48:58.876Z


jacobu Activities::BugResolved
2018-09-19T21:49:11.680Z
Thanks for the detailed report. We have published a fix for this report to our production systems. Please let us know if you're still able to reproduce the issue.


tvmpt Activities::Comment
2018-09-19T22:20:58.317Z
Thank you for the reward!


tvmpt Activities::AgreedOnGoingPublic
2018-09-19T22:21:14.562Z


bgilmore Activities::AgreedOnGoingPublic
2019-01-07T20:11:49.288Z


bgilmore Activities::ReportBecamePublic
2019-01-07T20:11:49.345Z