How I was able to turn self xss into reflected xss

Hein Thant Zin
Mar 31 · 2 min read

Hello there ,

I’m Hein Thant Zin and just a noob bug hunter .Today , I would like to share about one of my recent finding in HackerOne ‘s private program.

Let’s say https://reacted.com

When I’m testing on this site , there is a function which you can transfer money to another account via wallet address.

https://reacted.com/manage/transfer

I put xss payload in this field and payload was automatically executed but nothing happened coz they filtered wallet adderss must start with ‘xyz’ and having 98 characters long .

So , I prepared my payload like that ,

xyzaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<img src=x onerror=confirm(document.domain)>

then when I put above payload xss was fired :”) Me was like

But this is basically self xss which is not exploitable other users .So , how can i exploit other users ? I was thinking about it and about 15 minutes later , I noticed that they were provided to fill wallet address in two ways

  1. Copy / Paste
  2. Scanning QR image

What happens if an attacker encode his xss payload as QR image and send it to victim to transfer money ? I encoded my payload like that

And then I scanned my qr code and payload was automatically executed then pop up alert . That is enough to exploit other users coz there is no need user action to execute payload and encoded QR image can’t visible as plaintext.

I quickly wrote report and reported to security team.They triaged my report and awarded $300 bounty for my finding. :”)

Thanks for reading…….

    Hein Thant Zin

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade