Persistent Cross-Site Scripting on redacted worth $2,000

protector47
Sep 15, 2018 · 3 min read

This is my second write-up, but this time again I am not sharing any technical one. In this report, You will see how a single user of redacted ORG can affect the each and every member of ORG including admins etc from XSS Vulnerability. The target website was a CRM.
I reported this Vulnerability to redacted 3 years ago and got rewarded of $2000. Will share some technical Vulnerabilities very soon :)

So I got an invitation on HackerOne to Pentest redacted web services, I start Pentesting. I was looking for XSS because as you all know CRM based on Users and Admins, In case if the user-initiated XSS attack that affects admins and all users that will be High-level Cross-Site Scripting. So I was looking Cross-Site Scripting Vulnerability that will be initiated by the user.

How I find Persistent Cross-Site Scripting on redacted?

I went to the Library functionality of redacted, and create a library with XSS payload like “><script>alert(1)</script>#”><img src=”x” onerror=prompt(1);> but no luck. I tried multiple payloads in every field but every time the response is in plaintext.

Image for post
Image for post
Why am I not expert in Javascript?

I was moving to the next functionality of redacted because I was not able to bypass the XSS filter, At the same time, I saw the tags Options in Libraries. Where we can create custom tags. I create a custom tag with <img src xss> payload and boom!

This time response is different. XSS is still not triggered yet but there is a broken image in the response. So I analyze the output payload in source code and I create multiple payloads according to the response but no luck again. I am not much expert in Javascript that’s why I searched for the payloads and polyglots to bypass this type of XSS filter then I found a payload /*–>]]>%>?></object></script></title></textarea></noscript</style></xmp>’-/”/-alert(1)//><img src=1 onerror=alert(1)>’ and i use this payload to create library tags.

BOOM ….. BOOOOM …..BOOOOOOOOOOOOOM !!!!

Image for post
Image for post
Celebration Time :)

XSS Trigger Successfully, and this attack is initiated by a User that can affect all Admins and all Users of the ORG.
So redacted rewarded me $1500 and $500 bonus, also my report was selected as one of the best reports of August and rewarded $500 bonus!

Image for post
Image for post

Redacted fix this Vulnerability very quickly and reward me a bounty.

Thanks a lot for reading my report :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store