Porsche Website and API Vulnerability Leads to Data Exfiltration

Porsche’s well-established Vulnerability Reporting Policy led to the discovery of a security vulnerability in their website and GraphQL API by the Security Research team at Checkmarx. This vulnerability could potentially result in data exfiltration.


The vulnerability involves a Cross-Site Scripting (XSS) attack scenario. A vulnerable Porsche website allowed the injection of arbitrary code into the server response [4], which could then be executed in the victims’ session context. By exploiting this vulnerability [1] [4], attackers were able to exfiltrate data from the API to a remote server [1] [4].

The API retrieves the authentication token from cookies when a custom request header is not present [1] [2] [4], and it also allows requests from origins other than porsche.com [1] [2] [4]. The jwtToken cookie’s SameSite attribute is set to Lax, meaning it is not sent on cross-site requests [2] [4]. However, any website served from a subdomain of porsche.com using HTTPS is considered “Same Site,” and the jwtToken is automatically included in requests to the API [2] [3] [4].

To prevent XSS attacks [1], it is crucial to encode unsafe data and establish a proper Cross-Origin Resource Sharing (CORS) policy [1].


Porsche has received the Checkmarx Seal of Approval for their collaboration and professionalism in the disclosure and remediation process [1]. It is important for organizations to prioritize security measures such as encoding unsafe data and implementing a robust CORS policy to prevent XSS attacks. This vulnerability highlights the need for ongoing vigilance and proactive security measures to protect sensitive data.


[1] https://thehackernews.com/2023/07/a-data-exfiltration-attack-scenario.html
[2] https://secoperations.wordpress.com/2023/07/29/a-data-exfiltration-attack-scenario-the-porsche-experience/
[3] https://cyber.vumetric.com/security-news/2023/07/28/a-data-exfiltration-attack-scenario-the-porsche-experience/
[4] https://www.ihash.eu/2023/07/a-data-exfiltration-attack-scenario-the-porsche-experience/