Posts

Showing posts from December, 2016

Cross-site Scripting (XSS) on Goodreads.com

Image
Recently on an independent research I've found the Goodreads API was vulnerable to a Reflected Cross-site scripting . The issue happens on their REST API on a callback function parameter. No sanitizing mechanism was found and the parameter is echoed back in the JSON payload, allowing a malicious user to potentially launch XSS attacks. I've submitted the issue to the Goodreads' security team and this was quickly fixed. Goodreads is an Amazon company with  55 millions of users. Their site is ranked 139 in the USA and 336 globally, according to Alexa . Proof Of Concept: Vulnerable API calls with XSS payload: https://www.goodreads.com/book/review_counts.json?callback=%3Chtml%3E%3Cbody%20onload=%22javascript:alert(%27XSS%27)%22%3E%3C/html%3E&isbns=0441172717 https://www.goodreads.com/book/isbn/0441172717?callback=%3Chtml%3E%3Cbody%20onload=%22javascript:alert(%27XSS%27)%22%3E%3C/html%3E&format=json Vulnerability Disclosu