Bug Report On United Airlines
Mar 31, 2021
Target:
· https://www.united.com/en/us.
Scope:
· The website is vulnerable to DOM-based cross-site scripting.
Proof of Concept:
· Opened the URL https://www.united.com/en/us in Firefox.
· Captured the request in burp-suite.
· Send to the repeater.
· Checked the response in the repeater.
· Gave the malicious script.
· Checked the response in burp-suite(repeater) after completion of giving malicious script.
· Send the request to the response in the browser as well.
Given Payload to Test:
· #javascript:alert(1)
Severity:
· High
Web References:
· https://owasp.org/www-community/attacks/DOM_Based_XSS.
· https://portswigger.net/web-security/cross-site-scripting/dom-based.