Hello there ,
I’m Hein Thant Zin and just a noob bug hunter .Today , I would like to share about one of my recent finding in HackerOne ‘s private program.
Let’s say https://reacted.com
When I’m testing on this site , there is a function which you can transfer money to another account via wallet address.
I put xss payload in this field and payload was automatically executed but nothing happened coz they filtered wallet adderss must start with ‘xyz’ and having 98 characters long .
So , I prepared my payload like that ,
xyzaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<img src=x onerror=confirm(document.domain)>
then when I put above payload xss was fired :”) Me was like
But this is basically self xss which is not exploitable other users .So , how can i exploit other users ? I was thinking about it and about 15 minutes later , I noticed that they were provided to fill wallet address in two ways
- Copy / Paste
- Scanning QR image
What happens if an attacker encode his xss payload as QR image and send it to victim to transfer money ? I encoded my payload like that
And then I scanned my qr code and payload was automatically executed then pop up alert . That is enough to exploit other users coz there is no need user action to execute payload and encoded QR image can’t visible as plaintext.
I quickly wrote report and reported to security team.They triaged my report and awarded $300 bounty for my finding. :”)
Thanks for reading…….