Quantcast

Lookout

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a DOM Cross-Site Scripting (XSS) vulnerability in Lookout website www.lookout.com, which can be exploited by an attacker to conduct XSS attacks.

DOM Cross-Site Scripting :-

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).

Proof of Concept :-

URL :- POC Link Here

lookout-poc-aurora

lookout-poc-operalookout-poc-opera

Video Explanation :-

Conclusion :-

This vulnerability has been confirmed and patched by Lookout Security Team. I would like to thank them for their quick response to my report.

Status : Fixed!
Hall of Fame : Yes!
Bounty: No!


Choudhary Muhammad Osama

This is Choudhary Muhammad Osama, a highly accomplished Penetration Tester, Security Analyst and Linux Administration enthusiast, with extensive experience in implementing, maintaining, securing and pentesting web applications and networks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

POC

HTTP Response Smuggling in Dropcam

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a HTTP Response Smuggling vulnerability in Dropcam website www.dropcam.com. HTTP Response Smuggling :- Data enters a web application through an untrusted source, most frequently an HTTP request. The data Read more…

POC

Content Spoofing Found in Xbox Blog

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Content Spoofing vulnerability in XBOX Blog news.xbox.com, which can be exploited by an attacker to conduct XSS attacks. Content Spoofing :- Content spoofing, also referred to as Read more…

POC

Cross Site Scripting (XSS) Found in DNSimple

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in DNSimple website www.dnsimple.com, which can be exploited by an attacker to conduct XSS attacks. Cross-Site Scripting :- Cross-Site Scripting (XSS) attacks are Read more…