Major League Baseball Reflected XSS

Recently I have been looking for vulnerabilities such as XSS/CSRF within online applications and came across an XSS vulnerability within the Major League Basketball (MLB) website, which in question was vulnerable to reflected XSS. I did attempt responsible disclosure through Open Bug Bounty [3] and attempted contact via Twitter also, with no response returned and hence full disclosure.

In particular, the website was vulnerable within the “FORM_CODE” parameter with the payload of “–!><Svg/Onload=confirm(‘ OPENBUGBOUNTY’)>” being used to exploit the reflected XSS vulnerability. (See below).

(more…)