How I turned Self XSS to Stored via CSRF

Abhishek Yadav
Nov 29, 2019 · 2 min read

Since the company told me to keep the name private, lets call it private.com

So private.com allows users to create groups and then invite other users to share anything in that group. So i tried to find XSS in the group name and i found it quickly, like pretty quickly. My payload was zxc<script>alert(1)</script> in the group name and i got a pop-up.

So i tried to see if other users get impacted as well. I quickly created an account and invited the user to my group. The XSS didn’t execute, it was all encoded. I tried to bypass it but didn’t have any luck. So this was just a Self XSS.😑

So i started looking around for something else and i noticed that group names were encoded everywhere except for the dialog box that appeared after creating a group.

We’ve added zxc

Turns out the self XSS i found was of the dialog box and not the group name itself and so i thought what if somehow i managed to create a group on behalf of the user and then the dialog box will appear executing the XSS.

So i started burpsuite and i looked at the request and voila.

There was no CSRF protection against the request so i quickly generated burpsuite CSRF PoC and tried it and boom XSS got executed and i was like.

This was a great find for me as it impacted other users. Technically i don’t think its a stored XSS as it will execute only once after the user visits the link.

Bounty

They fixed it quickly within 2 days by completely removing the dialog box and adding CSRF protection.

I hope you learned something from this and if you liked it then please share and 👏.

Thank You.

Abhishek Yadav

Written by

Pentester | Bug-Bounty

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade