Bypassing Netflix's XSS filter


So I got on another Hall of Fame (I'm aiming for one each week) by finding a Reflected Cross-site scripting (XSS) vulnerability in Netflix.

Here's the link:

When dealing with user input, in many cases you need to do your own input handling - which Netflix had to do for their website, as it's fully custom. Filtering possible XSS entry points looks like an easy task, yet many still make common mistakes.

Bypassing the filter

Netflix is sanitizing all the parameter values coming from the url, but they forgot to properly sanitize the parameter names themselves. There was a filter in place but pretty weak as it looked like a simple tag-replacing regex.

This would not output the script as the regex replaces the tags:"><script>alert(2)</script>=1337"><<x>script>alert(2);<<x>/<x>script>=1337

The regex would remove any tags and other blacklisted combinations like </ and leave us with the injected payload.

What should you do?

Avoid doing your own filter. Use a well known one. Avoid the presence of obviously non-value or field related input data. Stop thinking XSS is not a big deal. It is a big deal. Ask Adobe.