Skip to content

The Ticklish XSS

Recently I came across a very tricky XSS on a company site. Let the target call example.com. Account and profile is the first point I test usually. In the profile section there was name, email, phone and email notification preferences. Obviously I go for the name portion to try XSS. Tried number of XSS payloads but nothing works. Forward slashes (/), Colons(:), sign (<)and periods(.) were strictly not allowed. When you visit the example.com/help the user profile name get print out like “ Hello User A”. So, I was pretty sure that If am able to dodge the site to accept XSS payload in the name field, It will be executed at example.com/help. Tried number of encoded payloads, simple, complex and without (/ ; . <) but nothing was working. I let it skip for a moment, took a breathe and said to myself: “Is it possible for User A set the profile name of User B ? As there will be no restriction on user A to use ( / or : or < ) on User B account. The restriction is for USER B on USER B account”. But that make no sense at all, why would any platform let anyone to set profile name for other users.

Anyhow, While testing some other features, I came across an option which let you invite other user for a particular project. You have to put the name and email of the person you are inviting.

I click on it and put <script>alert(“”XSS by malik”;)</script> in the name field and email of user B. After User B accepted the invitation. I was expecting that the profile name of user B will get change to <script>alert(“”XSS by malik”;)</script> and I would be able to bypass the forward slashes, colons and period restriction and was hoping for the XSS to work there. But it didn’t go the way I expected.

But there was something worthy to have a look upon. When User B, go to his profile, he was seeing his name as he set it to. But when he visit to the project portion, his name was the one, User A had set for him while inviting. I thought to myself . It mean that User A can set the name of USER B in the project portion not the one in profile.

But Wait a minute !!!!!!! What if I invite a person having no account yet. Genius? Right

Let give it a try. I quickly went to project section. Clicked on invite user, put name=<script>alert(“”XSS by malik”;)</script> and email. Now when user C checks email, accept the invitation he will get redirected to new window example.com/sign-up. But he will have just two options while signing up; Password and Confirm Password. The name and email will be pre-filled with the object user A have set to. As soon as user C put password and confirm it, he will get an account. With all those restrictions, validation and filtration, still is profile name will be <script>alert(“”XSS by malik”;)</script>. And as as soon as he visit example.com/help, the XSS will popup and GAME OVER.

The attack surface was low as it involve victim interaction and condition of not having account before. But the perspective I learned from it is that “ More than cheat sheets we need methodology. ” Happy Hunting!

Get in touch here:

https://www.twitter.com/adnanmalikinfo

Published inBug BountyCyber Security

2 Comments

  1. Your styⅼe is really unique in compariѕon to other peopⅼe I’ve
    read stuff from. Thank you for postіng when you’ve got thе opportᥙnity, Gᥙess I
    wіll just bоokmark this site.

  2. shamshad alam shamshad alam

    adnanmalikinfo you are Great

Leave a Reply

Your email address will not be published. Required fields are marked *