Blog Posts:

Cross Site Scripting Vulnerability in Oracle

In November, I reported a Cross Site Scripting bug which was affecting their domain "".

They fixed it within a month & I got listed in their Critical Patches Advisory Later in January.


So as you already know that Cross Site Scripting is an attack in which we can inject custom JavaScript codes & the browser executes them as the part of the page. So for the proof of concept I used a simple alert(document.domain) payload, but the exploitation is not limited.

The domain which was vulnerable was "".

Affected Parameter: tab=INJECT-HERE

Payload: v9msv'onmouseover='alert(document.domain)'style='position:absolute;width:100%;height:100%;top:0;left:0;'poeg2

Encoded: v9msv%27onmouseover=%27alert(document.domain)%27style=%27position:absolute;width:100%;height:100%;top:0;left:0;%27poeg2

So by adding all up, the POC Link was:;width:100%;height:100%;top:0;left:0;%27poeg2

Upon Opening the Link and moving your mouse cursor a little bit, the XSS would been triggered.
Maybe I'll do some other post about the above payload in the future, but I tried some other payloads on the Parameter which didn't work.

Video Poc:

Thanks for reading, lots of more things coming up !

1 comment: