Encrypted Payload -> Decrypted Execution ($600) : Stored XSS

Hello Hunters, This is a Tale of how I used an Application’s feature against itself to give rise to a Stored Cross Site Scripting Vulnerability. So relax and Enjoy the article ❤

Damn Excited to share this story…..😍

Let’s Begin

Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS are the most dangerous of all. To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject malicious script into its server.
Unlike Reflected, The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.

Summary :

The Web Application was a Server Hosting Management System with 24x7 support, Datacentre facilities, etc. The Application had a feature to create Support tickets for technical Support, server hosting support, Billing support, etc. Admins, technical support team members along with the application’s support team were now involved in a conversation. Here, we can raise our questions which were resolved by the support, similar like a Chat feature.

If any sensitive information such as passwords needed to be sent, an Encryption feature was added where any member can encrypt the message and send as a reply to the support ticket, which when clicked was getting decrypted. So after analysing deeper, I figured out a way to use their own feature which encrypted my specially crafted payload & when clicked got executed giving rise to a Stored Cross Site Scripting Vulnerability.

Steps Followed :

  1. Created a Support Ticket
  2. Analysed the “Encrypt Message” feature and figured out that the Encrypted message was decrypted on click in a <textarea> tag
  3. Also, the application didn’t allow alert, prompt or confirm functions but allowed Uppercased version of them
  4. So, Crafted a special payload to first escape the tag, then input as uppercased “ALERT(1)” but processed as “alert(1)” due to specially crafted payload
  5. Using the “Encrypt Message” feature, encrypted the payload & sent as a reply to the support ticket.
  6. So if anyone from the support team, technical team or admin, clicks on the message (obviously would) to check the original content, it would be decrypted & the payload then got executed.
  7. Now, all victims involved in the application were vulnerable to XSS on decrypting the message💯

Payload : </textarea><img src=x onerror=”var pop=’ALERT(document.cookie);’; eval(pop.toLowerCase());”

Hence, the title : Encrypted Payload -> Decrypted Execution 💯😎

The Submission was triaged and I got rewarded with a $600 bounty under P3 category because the affected actors were the Admins, Technical Support Team & the backend support, but the act that the technical team must be added by the admin is what lowered the possible impact 😁

That’s all for this Article, I Hope you guys enjoyed this form of learning ❤

Stay Safe 🤗

Follow my Instagram Creator account for more Bug Bounty & Ethical Hacking related content : https://www.instagram.com/shrirangdiwakar/ 😇

My LinkedIn: www.linkedin.com/in/shrirangdiwakar 🥰

Shower your love with the claps & share this with your friends ❣

Co-Founder & CISO at Knock Security Solutions | Ethical Hacker | Bug Bounty Hunter | Speaker | Content Creator | Ideator