Cache Poisoning and XSS in Glassdoor (2000 USD)

We discussed this vulnerability as part of our weekly podcast on 15 March 2022

Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.

Cross-Site Scripting - The first XSS discovered was the the gdId cookie would be reflected in the page, however because the WAF would block the request when using a space or including an HTML tags it couldn’t be weaponized on its own. The page also reflected the user’s IP nearby, which can be influenced through X-Forwarded-For headers, Combining these two leading to XSS.

Cache Poisoning - The application would cache pages if they had a .js or .css file extension which could be appended to a request without changing the endpoint it resolved to. Allowing the XSS requiring custom headers to be exploitable.