# Came looking for SSRF and found XSS

## Function :

Importing bookmarks from an external website

### How it works :

1. The function takes URL
2. Sends HTTP request to the URL
3. Previews the bookmarks into the website
4. Then storing it into the page

### Bookmarks

📌 The function only shows the content of the "a" and  "title" tags from that external URL

**I tried every possible SSRF attack I know ,but nothing worked.**

## XSS: 

### Self XSS :

I just created a website with The next content :

```html
<title> 
Tittle Injected<img src=x onerror=alert(1)>
</title>

<a href="#">
Link Injected<img src=x onerror=alert(1)>
</a>
```

And Sent the request to my website from the bookmarking function

The "a" tag content is being filtered but titile is not,

For now it’s just a self XSS.

![](https://3079983923-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeafLyjNWlqNSCbbrOwGR%2Fuploads%2FYX9ASF8XvCQORm1yaUqd%2Fimage.png?alt=media\&token=59d50468-0757-465a-8088-b6fbde07e8c8)

![](https://3079983923-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeafLyjNWlqNSCbbrOwGR%2Fuploads%2FaP3eDqdNL6iWsYDVNEGs%2Fimage.png?alt=media\&token=156bbdde-59f8-4174-9213-b58be7e14069)

### Stored XSS :

* The “Add” function here stores the bookmarks into the website.
* The self XSS accepted any payload,No kind of XSS prevention is being implemented their.
* **The add function removes the JS Events from the bookmarks before storing it into the website**

### After a good fuzzing the next payload worked:

```html
<audio src/onerror=alert(document.cookie)>
```

It’s stored in the next form :

```html
<audio src(unknown) onerror="alert(document.cookie)">
```

📌 The report was closed as informative because of the program’s policy

They don’t accept XSS for some reason.