A Tale of Open Redirection to Stored XSS
Hello guys,
I am back with another write-up of an interesting vulnerability I came across.
I will make this write-up short and easy to understand.
During hunting on a Private BB program(which I found through these dorks: https://github.com/tushar-arch/Bug-Bounty-Dorks). I came up with the main login page where I found out Open Redirection using the
payload: target. com/<>//google.com and it successfully redirected me to google.com, to escalate the impact I tried RXSS on it.
Payload: https://target.com/<>javascript:alert(1);
and I got a beautiful Popup :).
If you are thinking about how I ended up using this payload, I took reference from this report: https://hackerone.com/reports/196846 ( I always keep this payload in my Arsenal).
Now I immediately made a report and sent it to the security team.
I want to tell you guys that my target website is a marketplace for pictures/wallpapers and more. and I can make a Public profile where I can list pictures and other arts.
After reporting this issue I started looking for other vulnerabilities and came across a functionality where on Public profile we can add our social media handle links.
So I added different payloads in the inputs that will be saved to my public profile but nothing happened.
So if I add <script>alert(1)</script> in the input of twitter handle.
Then on clicking on the Twitter handle(which is present on my Public profile) the user will be redirected to https://<script>alert(1)</script>.
So You know what I am thinking !! Right??
I saved this payload on my Twitter handle input: https://target.com/<>javascript:alert(1); .
So whenever someone clicks on my Twitter handle ( Present on my profile page) he will be redirected to this URL which is vulnerable to Reflected XSS.
Both Authenticated and Unauthenticated are vulnerable to this vulnerability and as an attacker, I can steal the cookies.
So, In the same thread of Email, I updated the report. Which got accepted within 2 days and the Team is working on the Fix. I am expecting $$$$ for it .
Hope you liked it !!!
Thank you
Follow me on:
Twitter: https://twitter.com/tusharSharma_0
Linkedin: https://www.linkedin.com/in/tushar-sharma-8557a716b/
