Multiple Stored XSS

بسم الله الرحمن الرحيم

This is a short writeup on how I found 4 Stored XSS in a short time.

I'll keep track of the bugs found by incrementing the BUG COUNTER as we go through the writeup

I started by selecting a program that I have an account on and use from time to time.

The website is designated for gamers teaming-up and gaming tournaments

my plan was simple, test every input field and url parameter for XSS and low-hanging fruits.

BUG COUNTER = 0

starting with the search feature, used a simple payload to check what to get "><iframe%20src=x> and that gave me a CloudFront WAF

and since I'm hunting for low-hanging fruits i decided to move on.

looking at the sidebar, there's a "Talk" page which is a DM section that allows me to interact with other gamers.. sweet, I guess I can test multiple payloads through the chat and see results without the need to go back and forth and reloading pages

in a live chat, I tested multiple payloads such as img and svg and script nothing worked and seemed to be filtered until I tried <iframe src="someRandomPathToGeta404"></iframe>

and I see it brought up an iframe with a 404 inside the chat

let's trigger an alert now!
yet again, filters are in place and onerror, onmouseover, onload ..etc are filtered :/

but we know that src is not .. so, I ended up with this <IFRAME SRC="javascript:window['al'+'ert']('XSS')"></IFRAME> and that worked like a charm!!

now we have a working PoC and an unfiltered payload, time to go wild! :)

BUG COUNTER = 1

SEVERITY = HIGH

went to the homepage where it's basically a feed wall for users to post their thoughts

pasted the same payload, and we got another hit! and needs no user interaction, no chat and other nonsense. it triggers on view!

BUG COUNTER = 2

SEVERITY = HIGH

went to the comment section of a post, pasted the payload and that's another hit again!

BUG COUNTER = 3

SEVERITY = TBD

moved on and went to a tournament page and there was a comment section for participants of the tournament.

pasted the same payload and BOOM 4th XSS in a few hours.

BUG COUNTER = 4

SEVERITY = TBD

filed all reports, the severity will be updated when all reports are fully triaged

conclusion: you got a working payload? go wild and test it everywhere!