How a simple “Hey!” can turn into your worst Nightmare: Stored XSS

3 years ago 162
BOOK THIS SPACE FOR AD
ARTICLE AD

Shrirang Diwakar

Hello Hunters, Hope you’re doing well. Ever thought about what can happen if you read any stranger’s “Hey!” message? Nothing will happen, right?! 🤔

Let me prove you wrong!! So relax and let me explain how a simple “Hey!” can turn into your worst nightmare!! 👻

I’m sure this would be you right now…😂

Cross-site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS is the most dangerous of all. To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject a malicious script into its server.
Unlike Reflected, The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.

The Web application is a global provider of cloud communications and allows devices to be connected anywhere and on any device through voice, video, and team messaging. So the application is vulnerable to a Stored Cross-Site Scripting (XSS) Vulnerability which allowed an attacker to execute his malicious Javascript code on the victim’s device, as soon as the victim interacts with the attacker in any way. (eg.message, task, etc)

The Reason for the javascript execution was the “Last Name” parameter. Whenever you receive any message from a stranger/known person, some details which are visible include First Name, Last Name, Username, etc. In this scenario, the script was injected in the “Last Name” of the attacker, and the exploitation point was not sanitized properly after fetching the attacker’s Last Name. This allowed any Javascript code injected into “Last Name” to be executed on the Victim’s device.

Go to Edit Profile Section and inject the XSS payload given below in the “Last Name” fieldNow Create a task with Assignee marked as “Self”Send the task to the Victim with a simple “Hey!” messageAs soon as, the victim reads your message/task, the script will get executed.

Payload: ”><img src=z onerror=”alert(document.cookie)”

Scary, Isn’t it? 🥶

Wait…Wait…Wait! It's not over yet!! 😁

Exploiting one victim at a time is boring, right? So let’s try to use the application’s other feature of creating “Teams”!!😍

So now, As an attacker, we will create a Team of all our Victims and send the message just once. And all those who read fall into our well-organized Trap!!

But as usual, the Bugcrowd Triager marked it as a “Duplicate” -> I asked for reassessment -> Marked duplicate of another submission again -> I asked for reassessment again -> Triaged (P2) and rewarded $500 (could’ve been $2500 submission, but a Tier 4)

That’s all for this article, I hope you guys enjoyed this form of learning ❤

Stay Safe 🤗

Read Entire Article