vulnerability name: cross site scripting through chat messages
Here is the vulnerability that reported long back for vanilla organisation and rewarded.I just wanted to share write up here.
At first Usually i start with trying xss injection.I started by searching where ever i can insert the inputs later i thought why dont we give a try injection on text input.I tried some basic xss payloads but didnt worked later fired up burp suite for trying with mass xss payloads.
- Fired up burp suite
- Intercept chat text request in burp suite and selected injection point for payload.
- Loaded up mass payloads and start attacking.
- Here everything is showing 200 responses but how to find whether payload worked.So started looking for each response and found out that it is filtering keywords and tags like ex:alert(1),<script>
- Here got an idea so searched for alert(1) from payload responses and found few results .
- From that i adjusted payloads so that xss triggers after victim moves cursor over text.Here is the POC report and link attached at bottom .
vulnerable url:http://4gcommunity.vanillacommunities.com/messages/4 ## Steps to reproduce: step 1.Go to http://4gcommunity.vanillacommunities.com/messages/4
2 .Go to Add message and send any one payload as messages step
3.when victim get message notification in bottom left as seen in screenshot, take cursor over there,it will give “xss”.
1-> attacker can be used for stealing cookies
2->As it is through messaging so easily,whomever payload sent will be affected.
I even posted video as poc in reported link below. Hope it helps for clear understanding.
Vanilla disclosed on HackerOne: XSS through chat messages
vulnerability name: cross site scripting through chat messages vulnerability description: cross site scripting is a…