bugbountyhunter scope BARKER:第二滴血 儲存型 XSS 報告

sec875發表於2024-08-01
Report title:Storage Cross-Site Scripting XSS
Endpoint:https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/update/52
Vulnerable Parameter:profile_description
Payload:https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875

正文
l have discovered a Storage XSS vulnerability affecting the endpoint '/profile/update/*' in the parameter 'profile_description'. The payloed requires no filter bypass and is a simple, '<svg/onload=alert(0)>'

You can see a working proof of concept here:
https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722456444/lg9sryihh889e0x9mc6i.png)

To reproduce:
1.After logging in, go to edit profile,Fill in the payload in the Description text box
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722456439/zxdsbfotfifaifmzdzum.png)

2.Access My profile using any browser
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722456444/lg9sryihh889e0x9mc6i.png)
3.Visit My profile accessible to everyone https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875
4.You will observe xss executes

Payload used: <svg/onload=alert(1)>.No filtering at all.
Vulnerable parameter: profile_description
Endpoint/URL: https://7b6ae0ae6c79-sec875.a.barker-social.com/profile/sec875

lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.

相關文章