NS International Train Tickets v7.31.4 Reflected XSS Vulnerability


Vendor: NS International BV
Product web page: https://www.nsinternational.nl
Affected version: 7.31.4

Summary: NS International Train Tickets is a web application that is
used by NS International (Dutch railways) to manage (search, book,
plan, buy) train tickets for international travels from the Netherlands.

Desc: NS International Train Tickets confirmation page 'bookingConfirm'
is vulnerable to a Reflected XSS. The input provided to the 'dnr' query
string parameter is reflected to the validationMismatch.html page. This
can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

Tested on: Opera 49.0.2725.39
           Google Chrome 60.0.3112.90
           Firefox Quantum 57.0.1


Vulnerability discovered by Stefan Petrushevski
                            @ztefan
                            

Advisory ID: ZSL-2017-5441
Advisory URL: https://zeroscience.mk/en/vulnerabilities/ZSL-2017-5441.php


15.10.2017

--


PoC:

https://treintickets.nsinternational.nl/d-cobs-web/bookingConfirm.html?confirmationID=543b98e672749fb144fdfde9f2ef49945079f0928505c43b19390396db2294f2&dnr=XXXX"><script>alert(1)</script>&locale=en_GB