Write-up
  • WhoAmI
  • Web Cache Poisoning
  • Came looking for SSRF and found XSS
  • Phishing Attack using Machine Learning model
  • JWT Attacks
  • OAuth - Mechanism and Attacks
  • Upgrade plan from Free to Paid via Response Manipulation
  • XSS IN SOQL Console
  • A Journey from Automated Discovery to Manual Exploitation
Powered by GitBook
On this page
  • Function :
  • How it works :
  • Bookmarks
  • XSS:
  • Self XSS :
  • Stored XSS :
  • After a good fuzzing the next payload worked:

Came looking for SSRF and found XSS

My first bug on H1.

Function :

Importing bookmarks from an external website

How it works :

  1. The function takes URL

  2. Sends HTTP request to the URL

  3. Previews the bookmarks into the website

  4. Then storing it into the page

Bookmarks

đź“Ś The function only shows the content of the "a" and "title" tags from that external URL

I tried every possible SSRF attack I know ,but nothing worked.

XSS:

Self XSS :

I just created a website with The next content :

<title> 
Tittle Injected<img src=x onerror=alert(1)>
</title>

<a href="#">
Link Injected<img src=x onerror=alert(1)>
</a>

And Sent the request to my website from the bookmarking function

The "a" tag content is being filtered but titile is not,

For now it’s just a self XSS.

Stored XSS :

  • The “Add” function here stores the bookmarks into the website.

  • The self XSS accepted any payload,No kind of XSS prevention is being implemented their.

  • The add function removes the JS Events from the bookmarks before storing it into the website

After a good fuzzing the next payload worked:

<audio src/onerror=alert(document.cookie)>

It’s stored in the next form :

<audio src(unknown) onerror="alert(document.cookie)">

📌 The report was closed as informative because of the program’s policy

They don’t accept XSS for some reason.

PreviousWeb Cache PoisoningNextPhishing Attack using Machine Learning model

Last updated 2 years ago