Stored XSS Filter Bypass in the Skills section

Inspired by my recent post on LinkedIn, I’m excited to share my first-ever write-up on Medium. In this article, I’ll take you through my experience of finding a stored Cross-Site Scripting (XSS) vulnerability by getting around filters. Let’s dive into the details of my journey.

So let’s get started.

1. Finding the Target:

I chose a target website and explored it as a regular user. After signing up and logging in, I checked out the different sections available to users with accounts.

2. Exploring the Vulnerable Section:

Among the options, I clicked on “Settings” and then “Profile Summary.” Here, I found a place where users could list their skills, which seemed like a good spot to test for an XSS exploit.

3. First Payload Attempt:

I began with a simple payload:

<script>alert(1)</script>.

After that, I opened my profile page which was publicly accessible at https://target.com/pub/[username], and saw everything was stripped off.

4. Trying Something More Advanced:

Not discouraged, I experimented with another payload:

<img/src=x onerror=alert(document.cookie)> 

Unfortunately, the field had a character limit of 30. I dug into the HTML code and extended the limit to 300. Even with this payload, I only saw an image error, not the expected alert.

So, it is stripping suspicious things from my payload.

5. Using Encoding for Payloads:

Realizing the website was detecting and removing suspicious code, I started playing with payload encoding. I tried variations like

<img/src=x onerror=alert&#40;document.cookie&#41;>

but these attempts were unsuccessful.

6. Discovering a Clever Hyperlink Payload:

In my quest for a breakthrough, I tried a hyperlink payload:

<a/href=”javascript:alert(1);”>ClickMe

Unfortunately, this caused the page to redirect to a 404 error.

I was like:

7. Solving the Encoding Puzzle:

<a/href=”j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;document.cookie&rpar;”>

Cool! It didn’t strip alert now. But it didn’t work because of improper encoding. Let’s correct it:

8. Achieving Success:

Replaced: j	a	v	asc	ri	pt (which was actually j a v asc ri pt)
With: j&#97v&#97script (javascript)

GOTCHA!

The final payload that worked was:

<a/href=”j&#97v&#97script&#x3A;&#97lert(document.cookie)”>ClickMe

Thanks for reading!! I hope you found it helpful. Please let me know whether you would like me to continue creating more write-ups like this or not.

Let’s connect on LinkedIn for more: LinkedIn Profile