Self XSS leads to blind XSS and reflected XSS.
In regards to this tweet: https://twitter.com/Skeletorkeys/status/1026497897871884289
This website does not want me to disclose their website name,until they have setup their Bounty Program, which I will disclose in the future if they allow me to — or they will likely do it themselves from my interpretation on what they said. However in this post, I will explain to my best knowledge on how KNOXSS plays a role here, how I got a blind XSS through a self XSS and a reflected XSS.
If you message me on Twitter for help, then I will try my best to assist you! But regarding this website will be a straight NO. My reason is simple for that: I do not want to break their privacy nor lose my contact with them, or any other future bounties this website has to offer me.
I don’t expect this to work for everyone, or some of you since each websites WAF security is different than-one-and-another — and how it works.
Now to the fun part:
To XSS yourself on this website was the most trickiest part and difficult part. When I tried to input the following tags :
", ', ><, / and \ — I saw that they were being filtered in their live support chat and wasn’t being rendered in at all. After spending 20 - 30 mins, I tried some HTML entities and I saw my outputs being rendered in regular tags, so I decided to cook up an image tag XSS.
That being said, I used the following HTML entities:
"><img src=x onerror=alert(1);> and my output became
"><img src=x onerror=alert(1);> which then gave me this:
Then their live support team member messaged me saying: “Hey did you send a popup box with a message saying “1”, and I responded with “Yes I did.” That moment I knew I had a blind XSS which reflects back into their Admin Panel.
So I quickly cooked up another payload to grab their cookies — the big boys cookies. That moment I knew I had access to their Administrators and Devs account. I swiftly contacted them and their Administrators again and I was asked me if I could login as them and give a proof of concept — which I did.
Logged in and changed their names to my name for a bit more proof of concept. They were shocked.
They asked me for my PayPal to send me a lil something, something. ;)
I was awarded $500 for this with the reason “Security Guy.” Ha.
I used Sublist3r which helped me locate and able to find all their subdomains. I found one of their subdomain http://search.websitename.com which wasn’t listed on their website at all and it wasn’t secured at all. Just had a search box, a bunch of outdated information.
First I tried
"><svg/onload=alert(1)> and I got no alert. Which was a bummer. I tried every single possible payload I could think of and got no result. So I went to KNOXSS and posted my POST DATA and saw something interesting which was
%3E%3CScrip%3E being rendered in the URL as
></Script>. So I did a quick Google and found a payload that was similar to something I was using, and that payload was:
1%3C!%27/*%22/*\%27/*\%22/* — %3E%3C/Script%3E%3CImage%20Srcset=K%20*/;%20Onerror=confirm1%20//%3E#
I input that in my URL with my POST DATA and got my little confirmation 1. I quickly contacted their Administrators and Devs and explained how dangerous this can be and how bad it could be. They agreed with me and quickly took down that subdomain.
I was then rewarded $200 for a reflected XSS and with a little reason: “Try to reflect this back.” They have a great sense of humor. Ha.
Total bounty for the day: $700 USD
If you have any questions or comments, feel free to message me on Twitter, or tweeting me @Skeletorkeys
Thank you for reading and I hope this is informative enough and I do apologize for not sharing that domain with you all. Again, this isn’t my choice it’s the websites choice and I respect that and I hope you guys do as well.
I probably used some terms wrong too. Heh.
Anyways, thanks for reading.