How I got stored XSS on the ADMIN panel ?

Hey guys, so I am back with a new post this time. Recently I was assigned a penetration test for a certain client. I have written another post on my CSRF  findings in this penetration test.
If you haven't read that post, I  recommend checking it out here, so that you can understand the application flow and how a user can interact with the ADMIN. I don't want to make it a long post by repeating the same things I did in the last post.
         
                 Let's get to the main point then. In the application, the ADMIN can invite a user who would then sign up through that link. The main thing  I noticed here, was that this user could also, update the settings page for the company. He could change the company name also. The company name was being reflected on the page and I immediately thought that it seems a perfect place for finding XSS vulnerabilities. So I started trying different XSS payloads there, but it was filtering most of the stuff I could think of.

If  I put, "><img src=x onerror=alert(1)> it only reflected "> on the page, and yeah it was a WAF blocking my payloads. Simple, I know that. After this, I tried several payloads, but I think I was enough of a fool to miss the event handlers for my final XSS payload. Just then, I was browsing Twitter and I saw a tweet from h1_kenan that how he got XSS on a forbidden page, and just then it hit me suddenly, that hey dumbass, you are missing this simple payload.
     
                                 ''onmouseover" = " alert (1)"

As soon as I put the above payload in the input field, a simple hover triggered the payload and I got that sweet alert box. MISSION SUCCESSFUL. I got XSS through the same payload on another input field also. Now, all I had to do, was to just put this payload and save the settings. And when an ADMIN or a MASTER ADMIN will open their settings page.  The payload will get triggered and I can hijack their cookies and hence take over their account through that.
This payload was not Rocket- science, but hey if you are feeling stuck, always remember that there a lot of ways to bypass XSS filters. So, let's TRY HARDER.

Until next time, and yes I will be the PIRATE KING.:D

Comments

Popular posts from this blog

A TALE OF AN APPLICATION WIDE CSRF VULNERABILITY

How I got sensitive details of a company via misconfigured endpoints?