How I turned Self XSS to Stored via CSRF

Since the company told me to keep the name private, lets call it private.com

So private.com allows users to create groups and then invite other users to share anything in that group. So i tried to find XSS in the group name and i found it quickly, like pretty quickly. My payload was <script>alert(1)</script> in the group name and i got a pop-up.

So i tried to see if other users get impacted as well. I quickly created an account and invited the user to my group. The XSS didn’t execute, it was all encoded. I tried to bypass it but didn’t have any luck. So this was just a Self XSS.😑

So i started looking around for something else and i noticed that group names were encoded everywhere except for the dialog box that appeared after creating a group.

We’ve added zxc

Turns out the self XSS i found was of the dialog box and not the group name itself and so i thought what if somehow i managed to create a group on behalf of the user and then the dialog box will appear executing the XSS.

So i started burpsuite and i looked at the request and voila.

There was no CSRF protection against the request so i quickly generated a working PoC and tried it and boom XSS got executed and i was like.

This was a great find for me as it impacted other users. Technically i don’t think its a stored XSS as it will execute only once after the user visits the link.

They fixed it quickly within 2 days by completely removing the dialog box and adding CSRF protection.

I hope you learned something from this and if you liked it then please share and 👏.

Thank You.

Bug-Bounty | Pentester