(CRITICAL) Blind Storage XSS — My first Bug Bounty 💰

What is the impact of a XSS on support chat?

Imagine, a hacker with full access to the support account and able to spread the XSS for every user on the platform.

How it happens

During my tests on cs.money I sent an image to the supporter, got the request and sent to burp repeater. I noticed that I was able to break the HTML code by inject a double quote on the file name.

Okay, we have a very interesting thing here. How can we escalate the HTML injection to a XSS? Easy!

But how did I knew that the XSS was being triggered on the support client? Well, I just asked him and he confirmed. 🍭

Just in case they ask for a real impact, I crafted a payload that sends the supporter cookies to my server:

I had some limitations like no dots or spaces

But how can it be so danger?

Imagine if instead of a alert(123) payload I craft a payload that (as supporter) sends another payload for every single user . When the user read the message, the XSS will trigger, allowing the hacker to steal private information, do unauthorized requests, buy, sell skins and so on.

Result

CS Money awarded me with a $1000 bounty (the critical bounty for support.cs.money). They tried to close as critical, but because the maximum severity on subdomains is high, they closed as high and awarded me as critical.

My report got on top rank of Hacktivity feed just a few hours after I open disclosure.

--

--

--

Programmer, ethical hacker and pentester. 18 yo.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Tambola Bingo Hack Free Resources Generator

{UPDATE} 太陽城電子遊戲 Hack Free Resources Generator

How to Protect Online Data as a User

Data Security in Cloud — Securing AWS and Azure data

Customising the ADFS 3.0 / 4.0 Home Realm Discovery (HRD) screen

Simple steps — GDPR Compliance

Airdrop Alert: Airdrop of 100,000,000 QYU tokens Total Reward: $42,000,000 worth of QYU

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Benjamin Walter

Benjamin Walter

Programmer, ethical hacker and pentester. 18 yo.

More from Medium

Write-up: CSRF with broken Referer validation @ PortSwigger Academy

HTTP VERB TAMPERING:

Exploiting S3 bucket with path folder to Access PII info of A BANK

Log4j RCE CVE-2021–44228