Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.
According to OWASP: Stored Cross-site Scripting (XSS) is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack.
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS. Learn more about Stored XSS at https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
So, Lets start How i was able to find Stored XSS in a Social website, How i was able to exploit it and what was the impact of it on users. lets assume that social website as redacted.com as i am not allowed to share these vulnerabilities.
1 year ago, I was invited by my friend to a Social Platform that gives Money in return of using their website (likes, shares, watches etc). At first, i started visiting every page and testing every feature like a normal user and after peaking every where it was time to test for the vulnerabilities.
So i started digging into things from the Sign up page. I filled the Sign Up form like a normal user.
Started the BurpSuite (Everyone Love) and then intercepted the request. In the Request, I modified the First name, add the following code instead and submitted.
<script>alert("Testing for Stored XSS")
After Intercepting the request and modifying it to the malicious payload i submitted the request and was shocked when i saw that the server accepted it without any WAF or protection. There was a feature that at least once the new user was appearing in side of news feed as Friend Suggestions. So whenever someone open news feed, My Account containing Malicious code will be appear and the Malicious code will be executed.
Follow up for more write ups, Next write up will be about IDOR (Insecure Direct Object References) in a Social Website.
Thank You for Reading