Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.


# Exploit Title: Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting
# Exploit Author: Prasenjit Kanti Paul
# Vendor Homepage:
# Software Link:
# Version: Forcepoint Web Security 8.5
# Tested on: Windows 7,10 and Linux Mint
# CVE : CVE-2019-6146
# ForcePoint KBA:
# Video PoC:

# Description: User must visit any site which is restricted as per
# forcepoint policy. So that forcepoint web security will show a generic
# page. While parsing "Domain Name" within generic page forcepoint is not
# validating Host header, which caused XSS.

Lets assume, while accessing, forcepoint web security prevents
us to go to that website with its custom exception/blocking page. Now
follow the steps below:


   1. Intercept the traffic while accessing
   2. Modify the Host header from to ">


   - Oct. 21, 2019 - Issue Reported to PSIRT team of ForcePoint
   - Oct. 23, 2019 - ForcePoint team confirms the issue
   - Oct. 24, 2019 - CVE-2019-6146 has been assigned
   - Jan. 23, 2020 - ForcePoint KBA has been published with proper fixes

*Prasenjit Kanti Paul*