How a simple “Hey!” can turn into your worst Nightmare: Stored XSS

Hello Hunters, Hope you’re doing well. Ever thought about what can happen if you read any stranger’s “Hey!” message? Nothing will happen, right?! 🤔

Let me prove you wrong!! So relax and let me explain how a simple “Hey!” can turn into your worst nightmare!! 👻

I’m sure this would be you right now…😂

Let’s Begin

Cross-site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS is the most dangerous of all. To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject a malicious script into its server.
Unlike Reflected, The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.

Summary:

The Web application is a global provider of cloud communications and allows devices to be connected anywhere and on any device through voice, video, and team messaging. So the application is vulnerable to a Stored Cross-Site Scripting (XSS) Vulnerability which allowed an attacker to execute his malicious Javascript code on the victim’s device, as soon as the victim interacts with the attacker in any way. (eg.message, task, etc)

The Reason for the javascript execution was the “Last Name” parameter. Whenever you receive any message from a stranger/known person, some details which are visible include First Name, Last Name, Username, etc. In this scenario, the script was injected in the “Last Name” of the attacker, and the exploitation point was not sanitized properly after fetching the attacker’s Last Name. This allowed any Javascript code injected into “Last Name” to be executed on the Victim’s device.

Steps Followed:

  1. Go to Edit Profile Section and inject the XSS payload given below in the “Last Name” field
  2. Now Create a task with Assignee marked as “Self”
  3. Send the task to the Victim with a simple “Hey!” message
  4. As soon as, the victim reads your message/task, the script will get executed.

Payload: ”><img src=z onerror=”alert(document.cookie)”

Scary, Isn’t it? 🥶

Wait…Wait…Wait! It's not over yet!! 😁

Exploiting one victim at a time is boring, right? So let’s try to use the application’s other feature of creating “Teams”!!😍

So now, As an attacker, we will create a Team of all our Victims and send the message just once. And all those who read fall into our well-organized Trap!!

But as usual, the Bugcrowd Triager marked it as a “Duplicate” -> I asked for reassessment -> Marked duplicate of another submission again -> I asked for reassessment again -> Triaged (P2) and rewarded $500 (could’ve been $2500 submission, but a Tier 4)

That’s all for this article, I hope you guys enjoyed this form of learning ❤

Stay Safe 🤗

Follow my Instagram Creator account for more Bug Bounty & Ethical Hacking related content: https://www.instagram.com/shrirangdiwakar/ 😇

My LinkedIn: www.linkedin.com/in/shrirangdiwakar 🥰

Shower your love with the claps & share this with your friends ❣

Co-Founder at Knock Security Solutions | Ethical Hacker | Bug Bounty Hunter | Content Creator | Ideator