(CRITICAL) Blind Storage XSS — My first Bug Bounty 💰

What is the impact of a XSS on support chat?

Imagine, a hacker with full access to the support account and able to spread the XSS for every user on the platform.

How it happens

During my tests on cs.money I sent an image to the supporter, got the request and sent to burp repeater. I noticed that I was able to break the HTML code by inject a double quote on the file name.

Okay, we have a very interesting thing here. How can we escalate the HTML injection to a XSS? Easy!

But how did I knew that the XSS was being triggered on the support client? Well, I just asked him and he confirmed. 🍭

Just in case they ask for a real impact, I crafted a payload that sends the supporter cookies to my server:

I had some limitations like no dots or spaces

But how can it be so danger?

Imagine if instead of a alert(123) payload I craft a payload that (as supporter) sends another payload for every single user . When the user read the message, the XSS will trigger, allowing the hacker to steal private information, do unauthorized requests, buy, sell skins and so on.

Result

CS Money awarded me with a $1000 bounty (the critical bounty for support.cs.money). They tried to close as critical, but because the maximum severity on subdomains is high, they closed as high and awarded me as critical.

My report got on top rank of Hacktivity feed just a few hours after I open disclosure.

Programmer, ethical hacker and pentester. I am 17 years old. RS, Brazil

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store