In this article I will show this simple vulnerability that I found in <redacted.com>. A simple HTML Injection to XSS bypass due to improper sanitation. The web application has a Chat Room feature for their users/customers and due to the improper sanitation, the Room Name become the vulnerable input for the HTML & XSS.
So long story short, here's the report timeline and proof of concept of this issue.
--Proof of Concept--
1. Go to https://<redacted.com>/<redacted>chat
2. Click Create Room
3. Input payload for the room name
Payload: <input/onfocus=prompt(document.domain) autofocus>
4. Click Ok
5. You will notice that the room name will be an input box. now type on that box and see the result.
In result; the payload will make an input box and when a user types any text on the input, the payload will trigger which can results into Cookie Stealing.
Tested in Firefox 56 Windows 10 Platform
Reported: Nov 12, 2019, 2:04 AM
Fix Confirmation: Nov 25, 2019, 9:52 PM
Thanks. I believe it is the largest bounty we have ever paid (we are a very small company), but it was also the most serious/complex vulnerability ever reported.
So I hope you enjoy this write up and have a great day everyone!