Saturday, December 07, 2019

HTML Injection to XSS bypass in [REDACTED.com]

Howdy!

In this article I will show this simple vulnerability that I found in <redacted.com>. A simple HTML Injection to XSS bypass due to improper sanitation. The web application has a Chat Room feature for their users/customers and due to the improper sanitation, the Room Name become the vulnerable input for the HTML & XSS.

So long story short, here's the report timeline and proof of concept of this issue.

--Proof of Concept--

1. Go to https://<redacted.com>/<redacted>chat
2. Click Create Room
3. Input payload for the room name

Payload: <input/onfocus=prompt(document.domain) autofocus>

4. Click Ok
5. You will notice that the room name will be an input box. now type on that box and see the result.

In result; the payload will make an input box and when a user types any text on the input, the payload will trigger which can results into Cookie Stealing.


Tested in Firefox 56 Windows 10 Platform


--Timeline--

Reported: Nov 12, 2019, 2:04 AM
Fix Confirmation: Nov 25, 2019, 9:52 PM
Bounty: $600

Thanks. I believe it is the largest bounty we have ever paid (we are a very small company), but it was also the most serious/complex vulnerability ever reported. 

So I hope you enjoy this write up and have a great day everyone!

1 comment: