Bug Report On United Airlines

Target:

· https://www.united.com/en/us.

Scope:

· The website is vulnerable to DOM-based cross-site scripting.

Proof of Concept:

· Opened the URL https://www.united.com/en/us in Firefox.

· Captured the request in burp-suite.

· Send to the repeater.

· Checked the response in the repeater.

· Gave the malicious script.

· Checked the response in burp-suite(repeater) after completion of giving malicious script.

· Send the request to the response in the browser as well.

Given Payload to Test:

· #javascript:alert(1)

Severity:

· High

Web References:

· https://owasp.org/www-community/attacks/DOM_Based_XSS.

· https://portswigger.net/web-security/cross-site-scripting/dom-based.

· https://cwe.mitre.org/data/definitions/79.html.