Stored XSS Via Alternate Text At Zendesk Support

Hi Guys,

Finding bugs nowadays is like finding a needle in an haystack, But i was lucky enough to get that needle.

Well…The story begins just like every bug hunter’s daily routine..

Just a normal day in search for any bug that i could get my hands on.

But no luck..Now they usual thought came in “Time to jump to the next program” and i jumped and landed straight on a program called ZENDESK ..

Now i had to find what does this website do🤔🤔…It took me about 20 minutes to understand that it was actually a Support desk providing site for other websites..

Ok Now to Initialise the hunt..

Tempmail..Account Create..Bla Bla, And Logged on to my account.

Hmmm….What next!!

Of course time to test for xss

Basically all i did was just inserting payloads on all the input fields i could get my hands on.

This is when i came across a rich text editor but it did not have any much function just like normal text editors.

In it i found a URL input field and what’s funny about this field is that it does not actually detect if the given input is a URL. So i put my favorite XSS payload “Love Img XSS Payload” in the url input field and click ok.

But Nothing….

But…Apart from the url input field there was a ALTERNATIVE TEXT for the url. So i tested my luck on that…gave a random url and dropped the XSS payload on the ALTERNATIVE TEXT and clicked on ok.

I Click on the Link and BOOM!!

Got XSSed….

Report Timeline :

  • Jul 23rd- Report Submitted
  • Jul 24th- Report Triagged
  • Aug 23rd- Bounty Time$$$
  • Sep 12th- Resolved and Got listed on thier HOF

And That's How a Alternative Text Executed a XSS…As it Goes.

So Adios Amigos…That's all 4 now..This is Hariharan Signing Off..