Skip to content

DOM XSS in the /subscribe/ page

From the original HackerOne report:

Summary:

Found Reflected XSS

Steps To Reproduce:

  1. Open URL https://donate.torproject.org/subscribe/

  2. On the Sign Up for Tor News page in the email box , put the below script and wait for a while

<script>alert(1)</script>

It will pop up "1" indication of reflected XSS

Impact

XSS can cause serious issues. Attackers often leverage XSS to steal session cookies and impersonate the user. Attackers can also use XSS to deface websites, spread malware, phish for user credentials, support social engineering techniques, and more.

My triage answer:

Hello @samratanand, thank you very much for your report.

As you can read in our program overview,

Other services (like the website, bug tracker, and server infrastructure) or products (like OONI or Orbot) are out of scope

Also, this is not a reflected XSS (you cannot trigger it from another site without further user interaction), but a DOM XSS, which is quite more difficult to actually exploit: as far as I can see it would require the user to actually interactively modify the email field and trigger the buggy validation feedback, but please correct me if I'm wrong.

Nonetheless it's an actual flaw to be fixed, therefore I've forwarded this information to our web team.

As soon as the bug is patched I'll set this report status as "Resolved" to benefit your reputation score, even if it's not eligible for a bounty.

Thanks again and have a nice holiday season.