The 2.5 BTC Stored XSS
- Severity : High
- Complexity : Easy
In September 2016, I had found a simple Stored XSS that I earned 2.5 BTC for it from a crypto exchange platfrom. and In this time I was trading too much in cryptocurrencies and I was trying to find the best crypto exchange platform that I can trade on it easily without any restrictions, so I decided to find a one.
After a few hours on searching on the web, My eyes came on a Taiwan crypto exchange platform with awesome features and very good referral system too. Quickly I registered on the website and posted my referral link on facebook and twitter.
The referral URL was as follow:
https://www.reacted.com/users/sign_up/32427/shared
In the second day, When I logged into my account on the website, I noticed two notifications about that two guys just registered using my referral link.
An interesting thing, application prints the accounts names that registered using your referral link, So what If I register a new account with XSS name using my referral link. very simple, very easy.
Quickly I registered a new account using my referral link with my favorite XSS payload “><img src=x onerror=prompt(1)>
Then after I created the account I browsed to the notification page and I noticed that the payload didn’t get executed and I didn’t know why even the payload isn’t filtered by the application.
Hmmm, I tried many payloads and it didn’t get popup too. Then I tried to register a new account with this payload (“ <script>alert(1)</script>”)
After I registered the account, I browsed to notification page again. But this
time the payload has been executed on the page using script alert payload.
I felt this moment that this payload tells me he is still the king of XSS even if no one uses it anymore ;”D
XSS’ing all platform users
However, haven’t you noticed that you can change the ID on the referral link to another account ID that you want to register by his referral link ?
It looks like that this website generates referral links depends on the ID of user which is very easy to known or enumerated. In other websites, the referral link is consists of hashed token.
And because of this feature or bug, I was able to XSS all users by sending registration requests to intruder tap and this will request register accounts by users referral link with XSS names From User ID 1 to 32427 USER ID
And XSS will get executed on accounts of user when they see the notification page
Quickly, I sent an email support team asking them If they have bug bounty or something like that, and after 6 hours their response was as follow
Great reply! After this encouraging response I wrote the report of Stored XSS that I found and other two medium severity issues and sent the report to them.
26 Hours later of sending the report, I got this awesome email.
The company rewarded me with 2.5 BTC as bounty for my effort and offered me to do pentest on their application from time to time.
Lessons learned
- Do not hesitate to report something you found on a service or application that you use and I’m sure It’s probably going to be appreciated by them and it might end up getting great stuff.
- Don’t forget to test referral function because I never thought that it maybe be vulnerable to anything like that