A base64 encoded parameter.

This article is about a parameter which was taking the values not as simple text or HTML code but as encoded base64 string/text. The article below tells what was the bug and how it was submitted ?

It was a first/index page of a Subdomain of a public program ,which was a login page. I was uninterested to look for anything and about to close the page but somehow unintentionally entered the admin/admin in the login page and an error comes up above the login form which says wrong credentials, but the thing that catch my eye was the parameter that comes up at the address bar “errLogin” and the value of the parameter was not simple/plain text.

The link was like

https://www.SomeWebsite.com/? errLogin=[Some_base64_encoded_String]

So, I thought let’s try to enter plain text into parameter , as I entered plain text, some gibberish text gets reflected above the login form where error message was shown.

Now, I thought it can be a XSS bug but the payload was again reflected as gibberish text. Then somehow it came to my mind to decode it as base64.So, I copied the encoded text and try to decode it using some base64decoder website and it shows simple html code like this

<b>Error:</b>Wrong credentials

Now , I wrote simple html code and encoded into base64 then enter it as a value of that parameter and yay! it’s reflected at above the login page where the error message was shown.

I thought this is now can be reflected XSS but I was not able to pop-up the alert box because of filter website have.I tried a lot of payloads but unable to pop up the alert box .


I don’t want to submit the report without showing any effect. So, I submitted with this below PoC as HTML injection

<a href=’https://www.google.com’ > Register! </a>

the whole link looks like

https://www.SomeWebsite.com/?errLogin=[base64_encoded_injected_HTML]

Submitted Impact:

When user visit above link , and click on the register , he/she will be visited to Google.

Point to note:

If some gibberish text reflects as a result of input in some parameter try to encode it into base64 and try ,may be it works.

Bounty:

This was accepted as valid bug and $75 was rewarded in return and also they said if you are able to submit this as XSS then we can pay you more.