Stored XSS on Slack, Bug Bounty

4 years ago 183
BOOK THIS SPACE FOR AD
ARTICLE AD

Tommysuriel

This was my first XSS related finding that was considered a high severity vulnerability on a bug bounty program. For finding this vulnerability I was paid a bounty of $4,875.

For general information about XSS vulnerabilities and their security impact I suggest you read the information in this link https://portswigger.net/web-security/cross-site-scripting.

Exploit:

The exploit of this vulnerability consists of uploading a PDF file with JavaScript code in it on the chat of Slack, if you clicked on it it opened on their PDF viewer and the JavaScript was executed. In this case I made it display my session cookies.

This was possible due to a vulnerability in an outdated version of PDF.js: CVE-2018–5158.

Image for post

Image for post

Discovery:

How did I discover that Slack had this vulnerability? Around the time I found this bug there had been a few disclosed reports of XSS in Hackerone related to PDF file uploads, so I was looking for bugs similar to those. I finally found this report https://hackerone.com/reports/819863 which is about the same vulnerability I found on Slack but this was on a company called Nextcloud. I simply used the same Payload provided on that report but changed the code in it to display cookies in an alert message and finally I tried it on Slack.

Takeaways:

Always keep yourself informed about vulnerabilities in JavaScript libraries /frameworks and think about what companies/bug bounty programs could be using those libraries. Always read the reports from Hackerone and any other write-ups from security researchers.

Read Entire Article