Bypassing Netflix's XSS filter


Bypassing Netflix's XSS filter

Summary

So I got on another Hall of Fame (I'm aiming for one each week) by finding a Reflected Cross-site scripting (XSS) in Netflix.

Here's the link: https://help.netflix.com/en/node/6657

Netflix XSS

When dealing with user input, in many cases you need to do your own input handling - which Netflix had to do for their website, as it's fully custom. Filtering possible XSS entry points looks like an easy task, yet many still make common mistakes.

Bypassing the filter

Netflix is sanitizing all the parameter values coming from the url, but they forgot to properly sanitize the parameter names themselves. There was a filter in place but pretty weak as it looked like a simple tag-replacing regex.

This would not output the script as the regex replaces the tags:
https://contactus.netflix.com/contactus?locale=nl-SE&"><script>alert(2)</script>=1337

But we'll be making their regex return the initial payload:
https://contactus.netflix.com/contactus?locale=nl-SE&"><<x>script>alert(2);<<x>/<x>script>=1337

The regex would remove any tags and other blacklisted combinations like </ and leave us with the injected payload.

What should you do?