Blind XSS : a mind Game

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 12 hours ago · bug-bounty
quality 6/10 · good
0 net
AI Summary

A researcher exploited a blind XSS vulnerability in a backend portal by iteratively bypassing WAF filters through payload modification, ultimately achieving code execution and cookie exfiltration using an img tag with onload handler that extracts document.cookie to a logging endpoint.

Tags
blind-xss stored-xss xss-bypass waf-bypass payload-engineering cors-exploitation cookie-theft html-injection backend-vulnerability
Entities
blindf.com Dirtycoder
Blind Xss (A mind game to win the battle) | by Dirtycoder - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Blind Xss (A mind game to win the battle) In this write-up, I will explain how I exploited a blind XSS in the backend portal of a program. Dirtycoder Follow ~2 min read · December 11, 2019 (Updated: December 12, 2021) · Free: Yes I will not take much time and keep the write-up simple and point to point. It was a private program so we will call it https://redacted.com. I used https://blindf.com in order to exploit it. It's a platform/tool/framework to find blind XSS. Attack Starts: Found a form on https://redacted.com I put Bhtml payload + BXSS payload in the text field Payload: "> Result: WAF stopped me to submit the form. 3. I removed the BXSS payload. Now the payload was Payload: Result: WAF did not stop me and I successfully submitted the form. Next day Blindf confirmed the BHTML payload execution in the backend. Now It's time to submit the Bxss payload. Because I knew that the backend portal is vulnerable and I just have to submit the Bxss payload. 4. Next Payload used. BHTML + BXSS Payload: "> Result: WAF did not stop me and I successfully submitted the payload. But again only BHTML payload worked and BXSS did not. Now again, its time to modify the payload. 5. Next payload used. BHTML + BXSS Payload: "> sfds"> Result: WAF stopped me and I could not submit the form. Frustration was on the peak. Again its time to change the payload. 6. Next payload used. BHTML + BXSS Payload: ">"> Result: Bypassed the WAF but again only BHTML worked and BXSS failed. Now it was not the time of payload modification but thinking about the situation. Situation step by step: I used BHTML + BXSS payloads. Some Bxss payloads bypassed the WAF but did not execute in the backend portal where Bhtml payloads were going well and I was receiving back response from my BHTML payloads. Maybe something was stopping my remote js file from execution. [CORS or Same-origin policy] So I have to execute BXSS without including remote js file. But how can I confirm the payload execution in the backend if I just show an alert popup to them ""> Result: WAF bypassed. Bhtml payload executed. Bxss payload executed and I got the cookie value. Severity: Critical (9 ~ 10) Bounty: $1000 #javascript #blind-xss #stored-xss #html #xss-bypass Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories