Came looking for SSRF and found XSS

My first bug on H1.

Function :

Importing bookmarks from an external website

How it works :

  1. The function takes URL

  2. Sends HTTP request to the URL

  3. Previews the bookmarks into the website

  4. Then storing it into the page

Bookmarks

📌 The function only shows the content of the "a" and "title" tags from that external URL

I tried every possible SSRF attack I know ,but nothing worked.

XSS:

Self XSS :

I just created a website with The next content :

<title> 
Tittle Injected<img src=x onerror=alert(1)>
</title>

<a href="#">
Link Injected<img src=x onerror=alert(1)>
</a>

And Sent the request to my website from the bookmarking function

The "a" tag content is being filtered but titile is not,

For now it’s just a self XSS.

Stored XSS :

  • The “Add” function here stores the bookmarks into the website.

  • The self XSS accepted any payload,No kind of XSS prevention is being implemented their.

  • The add function removes the JS Events from the bookmarks before storing it into the website

After a good fuzzing the next payload worked:

<audio src/onerror=alert(document.cookie)>

It’s stored in the next form :

<audio src(unknown) onerror="alert(document.cookie)">

📌 The report was closed as informative because of the program’s policy

They don’t accept XSS for some reason.

PreviousWeb Cache PoisoningNextPhishing Attack using Machine Learning model

Last updated