Encrypted Payload -> Decrypted Execution ($600) : Stored XSS
Hello Hunters, This is a Tale of how I used an Application’s feature against itself to give rise to a Stored Cross Site Scripting Vulnerability. So relax and Enjoy the article ❤
Damn Excited to share this story…..😍
Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS are the most dangerous of all. To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject malicious script into its server.
Unlike Reflected, The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.
The Web Application was a Server Hosting Management System with 24x7 support, Datacentre facilities, etc. The Application had a feature to create Support tickets for technical Support, server hosting support, Billing support, etc. Admins, technical support team members along with the application’s support team were now involved in a conversation. Here, we can raise our questions which were resolved by the support, similar like a Chat feature.
If any sensitive information such as passwords needed to be sent, an Encryption feature was added where any member can encrypt the message and send as a reply to the support ticket, which when clicked was getting decrypted. So after analysing deeper, I figured out a way to use their own feature which encrypted my specially crafted payload & when clicked got executed giving rise to a Stored Cross Site Scripting Vulnerability.
Steps Followed :
- Created a Support Ticket
- Analysed the “Encrypt Message” feature and figured out that the Encrypted message was decrypted on click in a <textarea> tag
- Also, the application didn’t allow alert, prompt or confirm functions but allowed Uppercased version of them
- So, Crafted a special payload to first escape the tag, then input as uppercased “ALERT(1)” but processed as “alert(1)” due to specially crafted payload
- Using the “Encrypt Message” feature, encrypted the payload & sent as a reply to the support ticket.
- So if anyone from the support team, technical team or admin, clicks on the message (obviously would) to check the original content, it would be decrypted & the payload then got executed.
- Now, all victims involved in the application were vulnerable to XSS on decrypting the message💯
Payload : </textarea><img src=x onerror=”var pop=’ALERT(document.cookie);’; eval(pop.toLowerCase());”
Hence, the title : Encrypted Payload -> Decrypted Execution 💯😎
The Submission was triaged and I got rewarded with a $600 bounty under P3 category because the affected actors were the Admins, Technical Support Team & the backend support, but the act that the technical team must be added by the admin is what lowered the possible impact 😁
That’s all for this Article, I Hope you guys enjoyed this form of learning ❤
Stay Safe 🤗