How I was able to turn self xss into reflected xss

Hello there ,

I’m Hein Thant Zin and just a noob bug hunter .Today , I would like to share about one of my recent finding in HackerOne ‘s private program.

Let’s say https://reacted.com

When I’m testing on this site , there is a function which you can transfer money to another account via wallet address.

https://reacted.com/manage/transfer

I put xss payload in this field and payload was automatically executed but nothing happened coz they filtered wallet adderss must start with ‘xyz’ and having 98 characters long .

So , I prepared my payload like that ,

xyzaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<img src=x onerror=confirm(document.domain)>

then when I put above payload xss was fired :”) Me was like

Image for post
Image for post

But this is basically self xss which is not exploitable other users .So , how can i exploit other users ? I was thinking about it and about 15 minutes later , I noticed that they were provided to fill wallet address in two ways

  1. Copy / Paste
  2. Scanning QR image

What happens if an attacker encode his xss payload as QR image and send it to victim to transfer money ? I encoded my payload like that

Image for post
Image for post

And then I scanned my qr code and payload was automatically executed then pop up alert . That is enough to exploit other users coz there is no need user action to execute payload and encoded QR image can’t visible as plaintext.

I quickly wrote report and reported to security team.They triaged my report and awarded $300 bounty for my finding. :”)

Image for post
Image for post

Thanks for reading…….

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store