bugbountyhunter scope BARKER:第三滴血 儲存型 XSS 報告

sec875發表於2024-08-01
Report title:Storage Cross-Site Scripting XSS
Endpoint:https://7b6ae0ae6c79-sec875.a.barker-social.com/group/11
Vulnerable Parameter:name
Payload:https://7b6ae0ae6c79-sec875.a.barker-social.com/group/11

正文
l have discovered a Storage XSS vulnerability affecting the endpoint '/group/*' in the parameter 'name'. The payloed requires no filter bypass and is a simple, '<svg/onload=alert(0)>'

You can see a working proof of concept here:
https://7b6ae0ae6c79-sec875.a.barker-social.com/group/11
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722460255/btp6vgaae1s3fs3kewgi.png)

To reproduce:
1.After logging in, go to Communities and create a group. Enter payload in the Group Name field.
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722460267/htpwjfrs6jyjea9xmibm.png)

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722460272/xg4y7zyv5tpw0kkussac.png)

2.Access My group using any browser
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722456444/lg9sryihh889e0x9mc6i.png)

3.Visit My profile accessible to everyone https://7b6ae0ae6c79-sec875.a.barker-social.com/group/11
4.You will observe xss executes

Payload used: <svg/onload=alert(1)>.No filtering at all.
Vulnerable parameter: name
Endpoint/URL: https://7b6ae0ae6c79-sec875.a.barker-social.com/group/11

lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.

相關文章