Multiple Stored XSS
بسم الله الرحمن الرحيم
This is a short writeup on how I found 4 Stored XSS in a short time.
I'll keep track of the bugs found by incrementing the BUG COUNTER as we go through the writeup
I started by selecting a program that I have an account on and use from time to time.
The website is designated for gamers teaming-up and gaming tournaments
my plan was simple, test every input field and url parameter for XSS and low-hanging fruits.
BUG COUNTER = 0
starting with the search feature, used a simple payload to check what to get "><iframe%20src=x>
and that gave me a CloudFront WAF
and since I'm hunting for low-hanging fruits i decided to move on.
looking at the sidebar, there's a "Talk" page which is a DM section that allows me to interact with other gamers.. sweet, I guess I can test multiple payloads through the chat and see results without the need to go back and forth and reloading pages
in a live chat, I tested multiple payloads such as img
and svg
and script
nothing worked and seemed to be filtered until I tried <iframe src="someRandomPathToGeta404"></iframe>
and I see it brought up an iframe with a 404 inside the chat
let's trigger an alert now!
yet again, filters are in place and onerror
, onmouseover
, onload
..etc are filtered :/
but we know that src
is not .. so, I ended up with this <IFRAME SRC="javascript:window['al'+'ert']('XSS')"></IFRAME>
and that worked like a charm!!
now we have a working PoC and an unfiltered payload, time to go wild! :)
BUG COUNTER = 1
SEVERITY = HIGH
went to the homepage where it's basically a feed wall for users to post their thoughts
pasted the same payload, and we got another hit! and needs no user interaction, no chat and other nonsense. it triggers on view!
BUG COUNTER = 2
SEVERITY = HIGH
went to the comment section of a post, pasted the payload and that's another hit again!
BUG COUNTER = 3
SEVERITY = TBD
moved on and went to a tournament page and there was a comment section for participants of the tournament.
pasted the same payload and BOOM 4th XSS in a few hours.
BUG COUNTER = 4
SEVERITY = TBD
filed all reports, the severity will be updated when all reports are fully triaged
conclusion: you got a working payload? go wild and test it everywhere!