Oracle Cross Site Scripting Vulnerability -Adesh Kolte

Author:

Adesh Nandkishor Kolte (An Independent Cyber Security Resercher)

Severity Level:

Medium

Vulnerable URL :

https://docs.oracle.com/cd/E17236_01/epm.1112/hpm_user/frameset.htm?

Payload:

javascript:alert(/xss/)

Vulnerable Parameter:

frameset.htm?

Technical Details & Description:

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate
website or web application. XSS is amongst the most rampant of web application
vulnerabilities and occurs when a web application makes use of unvalidated or unencoded
user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would
exploit a vulnerability within a website or web application that the victim would visit, essentially
using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
How Cross-site Scripting works
In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a
way to inject a payload into a web page that the victim visits. Of course, an attacker could use
social engineering techniques to convince a user to visit a vulnerable page with an injected
JavaScript payload.
In order for an XSS attack to take place the vulnerable website needs to directly include user
input in its pages. An attacker can then insert a string that will be used within the web page
and treated as code by the victim’s browser.

Proof Of Concept:

Vulnerabilty Status:

Fixed

Hall Of Fame:

--

--

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adesh Kolte

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018