Stored XSS Filter Bypass in the Skills section
Inspired by my recent post on LinkedIn, I’m excited to share my first-ever write-up on Medium. In this article, I’ll take you through my experience of finding a stored Cross-Site Scripting (XSS) vulnerability by getting around filters. Let’s dive into the details of my journey.
So let’s get started.
- Finding the Target:
I chose a target website and explored it as a regular user. After signing up and logging in, I checked out the different sections available to users with accounts.
2. Exploring the Vulnerable Section:
Among the options, I clicked on “Settings” and then “Profile Summary.” Here, I found a place where users could list their skills, which seemed like a good spot to test for an XSS exploit.
3. First Payload Attempt:
I began with a simple payload:
<script>alert(1)</script>.
After that, I opened my profile page which was publicly accessible at https://target.com/pub/[username], and saw everything was stripped off.
4. Trying Something More Advanced:
Not discouraged, I experimented with another payload:
<img/src=x onerror=alert(document.cookie)>
Unfortunately, the field had a character limit of 30. I dug into the HTML code and extended the limit to 300. Even with this payload, I only saw an image error, not the expected alert.
So, it is stripping suspicious things from my payload.
5. Using Encoding for Payloads:
Realizing the website was detecting and removing suspicious code, I started playing with payload encoding. I tried variations like
<img/src=x onerror=alert(document.cookie)>
but these attempts were unsuccessful.
6. Discovering a Clever Hyperlink Payload:
In my quest for a breakthrough, I tried a hyperlink payload:
<a/href=”javascript:alert(1);”>ClickMe
Unfortunately, this caused the page to redirect to a 404 error.
I was like:
7. Solving the Encoding Puzzle:
<a/href=”j	a	v	asc	ri	pt:alert(document.cookie)”>
Cool! It didn’t strip alert now. But it didn’t work because of improper encoding. Let’s correct it:
8. Achieving Success:
Replaced: j	a	v	asc	ri	pt (which was actually j a v asc ri pt)
With: javascript (javascript)
GOTCHA!
The final payload that worked was:
<a/href=”javascript:alert(document.cookie)”>ClickMe
Thanks for reading!! I hope you found it helpful. Please let me know whether you would like me to continue creating more write-ups like this or not.
Let’s connect on LinkedIn for more: LinkedIn Profile