Story of Stored Xss

Hi guys!!

Walid Hossain a bug hunter and web penetration tester from Bangladesh.This is my first write up to the medium community!I am sharing a write up about one of my recent finding(stored xss).

So when the Stored Xss occurs???

@@Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered.

Someday ago on twitter I read about a tip about xss !!That is : always put something before the xss payloads. Like TEST”><svg onload=alert(1)// And when you start finding for The TEST word.the xss should be fired( if not properly filtered).And I was like-

I was like

That time I was looking to a private site.And thought why not give it a try???So I started looking into this!!lets say the web app name redacted.com

I have created two accounts on redacted.com. while doing that I have set the display name as TEST”><svg onload=alert(1)// and created account. Now what??? I have started typing the name on search bar and BOOM! xss fired up !! I was really surprised that the input was not filtered and tip worked as Hell!Again I was like

Surprised!

Then honestly I did not think much and reported the issue to the private program!After two days they replied and marked it as wont fix saying self xss because victim could not find attackers name on the search bar thus victim only can attack himself.As I did not thought much about the issue.I was like:

Then I thought about how we can attack victim with this???I tried to understand the functionality of the redacted.com.And after spending a day I understood that

  1. If user1 is following user2 then user2 will appear on user1s search bar
  2. if user1 is not following user2 then will not appear!

And I have set the attack scenario like this:

  1. Attacker set his display name as Attacker1"><svg onload=alert(1)//
  2. Now Attacker1 is following victim1
  3. Victim1 got interested and also followed Attacker1
  4. Victim1 wanna see Attacker1 profile.So he start typing on Attacker1 on search bar
  5. BOOM! XSS should be pop out in victims browser!!

And I have submitted with all of this.after someday one of the analyst traiged my report saying Thank you for a detailed POC N00B-Walid.I was like:

So thats the story of stored xss.Please pardon my any mistake as this is my first write up!And I am no one comparing any of the guys out there.thank you!

Issue found: 15 november

Submitted : 15 november

Marked wont fix: 21 november

traiged: 25 november

bounty awarded:26 november

Best regards,NOOB-Walid