Bypass Rich Text Editors lead to Stored XSS - $500 Rewards

Hi Everyone,

Hello guys👋👋 In this article, I’m going to talk about a How to bypass XSS and lead to StoredXSS bug I discovered in an HackerOne bug bounty program which i m going to represent as redacted that allowed me to get Reward $500.

Severity: Medium— Payout: $500

Platform: Hackerone Public Program

In rich text editors (add hyperLink) you allow data: URLs to be set as image sources, and I was able to store XSS in such image. While <img> won’t execute script that is stored inside the SVG it points to, if one opens the image, the script will be executed. use tag allows to embed another base64 encoded SVG containing target XSS payload, base64 after decoding:

Find out the user's chat box

First of all entered narmal payL0d, I tried with

<Svg/src=”x”/onerror=alert(“follow+me”)>

But, this payL0ad was not working after trying to useing edit options like:- bold, italian, arangeing, script, hyper link.

Trying oneby One but again not working

After using following different base64 encoded paL0ds

<image/onerror="import('data:application/javascript;charset=utf-8;base64,PAYLOAD')//%27"src><script>

Using the base64 encoded after adding hyper link(set inside a link) Now click enter.

This is your already expected now script was Triggered. On the time quickly reported HackerOne Program after 1 weak revisited responce and on the BBH program accepted the vulnerability.

Thanks for Reading & Happy Hunting!

Reported — December 17, 2023, 10:54am UTC

Bounty rewarded — December 25, 2023, 10:30am UTC

Triaged — December 25, 2023, 12:45pm UTC

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

🔸 YouTube.com/chhota_hacker

🔸 Telegram.me/chhota_hacker

🔸 Twitter.com/chhota_hacker