reflected XSS

In the beginning of May I decided I wanted to learn more about Chemistry, so I signed up for’s organic chemistry course. In the process of getting setup, I found a reflected XSS and a few boolean values in the cookie that presented me with an admin interface. I reported the vulnerabilities to on May 8th but received no response.

The reflected XSS is in the domain, is very straightforward and was exploited in Firefox 21.0.

PoC:<script>alert(document.domain);</script>&format=txt xss

The admin interface found at is not available to all users. Manipulating boolean cookie values opens the interface to anyone. However, it doesn’t appear you are able to do anything interesting once there.

Inside the ‘maestro_user’ cookie, there are boolean values that control access to the interface. These values as they appear in the original cookie are:

With the values set to false, navigating to results in an error page indicating I do not have permission to view the administration portion of the site. After editing the ‘maestro_user’ cookie such that the values are as follows:

Comments are closed.