Vectorum

Reflected XSS at České Budějovice Observatory

written by

Anarki
17. November 2024 - Vulnerability was reported
24. August 2025   - Follow-up report resent

A security vulnerability of the type reflected Cross-Site Scripting (XSS) has been identified, which could potentially be exploited to compromise the security of user data.

The vulnerability is caused by the possibility of injecting malicious code through an input field. Such code could be executed in the web browser of other users, which may result in the disclosure of sensitive information (for example cookies) or lead to other security issues.

The vulnerability has been observed on the following websites:

Proof-of-concept

The search form on all the mentioned websites contains a reflected XSS vulnerability. By entering this into the search field

"><script>alert('reflected')</script><img src=x style=display:none onerror=null alt="

you trigger reflected XSS.

Reflected XSS vulnerability triggered via search input
Reflected XSS vulnerability triggered via search input

Attackers typically do not act this way, as the victim is aware of cooperation and the result is visible.

In reality, the attack would be invisible and unnoticeable to the victim, and could look like this:

  1. The victim visits a link, for example via QR code from flyer, Facebook event, email, etc. The link itself may appear normal—shortened URLs are commonly used and raise no suspicion. Attackers rely on social engineering, for example, by inviting the victim to check out an astronomical object, pretending to inquire about a tour, and so on.
  2. The visited page then silently redirects the victim, as expected, to the legitimate website https://hvezdarnacb.cz. The observatory’s site appears normal and work as intended.
  3. However, in addition to visiting https://hvezdarnacb.cz, the victim’s browser get invisibly posioned.
  4. Depending on its complexity, this code can carry out the attacker’s intentions. Through JavaScript, the attacker could essentially take control of the victim’s browser remotely without their knowledge. This could include stealing access to the administration panel, attempting to control the webcam, spawning fake login prompts for services like Facebook, or silently recording user activity on the site.

Example

  1. Victim clicks on the link (webpage, QR code, email,..) and get redirected as expected
  2. Meanwhile victim’s JavaScript runtime environment get poisoned
  3. Attacker can log victim’s activity, send fake login form and more.

Upper screen is an victim, lower is attacker.

Attacker manipulates victim's browser
Attacker manipulates victim’s browser

Fixation

The good news is that there are protective mechanisms to prevent this behavior, or at least mitigate it, and they are commonly implemented in practice.

  • Filter user’s input in forms
  • Implementing CSP (Content Security Policy) prevents arbitrary scripts from being loaded into the victim’s browser environment (arbitrary scripts pose the highest risk).
  • Implementing cookie security attributes—HttpOnly, Secure, SameSite—prevents an attacker from easily manipulating cookies and impersonating an administrator.

A good practice is to publish a security.txt document in accordance with RFC 9116. It’s a simple, small text file that tells ethical hackers how securely report any findings, if you’re interested. Inspiration you can find here:

CompanyURL
Googlehttps://www.google.com/.well-known/security.txt
Cloudflarehttps://www.cloudflare.com/.well-known/security.txt
Applehttps://www.apple.com/.well-known/security.txt
Microsofthttps://www.microsoft.com/.well-known/security.txt

More posts