Blind XSS to Admin Panel Dashboard

Hello Everyone!

My name is Aniruddha Khadse. I am working as a Product Security Engineer, also I am a part-time Bug Bounty Hunter. This blog is about my finding on a shopping website (private program), let's say it as target.com. Without wasting time let’s start.

Vulnerability description:

While registering on target.com, it asked for name, mobile no, and email id. As usual, a used <h1>Hacked</h1> in name, I got welcome mail with HTML injected successfully. Now its time to increase impact, I changed my first name from <h1>Hacked</h1> to <script>alert(1)</script> and I got popup. I immediately created a report and submit to target.com.

And again I started hunting on that website, I got an endpoint where you can apply for free membership (same as amazon prime and flipkart plus). There I got a form for apply membership with the name is already filled. Here I got an idea, what will happen if I changed my first name with blind xss payload??

I opened https://xsshunter.com/, logged in with my credentials, copied the payload and paste it in my name field, and applied for membership. The very next day, I got a mail from xsshunter that your payload is fired up.

I opened my xsshunter account and what I got is a screenshot of the admin’s dashboard with the user’s sensitive details like Name, phone no and address. Again I created a new report and submit to them.

There are lots of tools for finding blind XSS but xsshunter is my favorite because it is very easy to use.

Steps to reproduce:

1)Go to target.com and signup with xsshunter payload as a name.

2)Visit apply for a free membership and apply.

3)Wait for xsshunter mail.

I got a reply from them that my blind XSS is accepted and they will provide only swag.

If you have liked this article do click on the clap button and do follow me on Linkedin and Twitter.

Linkdein: https://www.linkedin.com/in/aniruddha-khadse-7852a6101/

Twitter: https://twitter.com/aakhadse29