How I was turn self XSS into reflected XSS

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · bug-bounty
quality 7/10 · good
0 net
AI Summary

A bug bounty researcher discovered a technique to escalate a self-XSS vulnerability into a reflected XSS by encoding the malicious payload as a QR code, which bypassed client-side filtering and allowed automatic payload execution when scanned by victims without additional user interaction.

Tags
xss self-xss reflected-xss qr-code input-validation bug-bounty wallet payload-encoding
Entities
HackerOne Hein Thant Zin
How I was able to turn self xss into reflected xss | by Hein Thant Zin - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I was able to turn self xss into reflected xss Hello there , Hein Thant Zin Follow ~2 min read · March 31, 2019 (Updated: December 9, 2021) · Free: Yes I'm Hein Thant Zin and just a noob bug hunter .Today , I would like to share about one of my recent finding in HackerOne 's private program. Let's say https://reacted.com When I'm testing on this site , there is a function which you can transfer money to another account via wallet address. https://reacted.com/manage/transfer I put xss payload in this field and payload was automatically executed but nothing happened coz they filtered wallet adderss must start with 'xyz' and having 98 characters long . So , I prepared my payload like that , xyzaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa then when I put above payload xss was fired :") Me was like But this is basically self xss which is not exploitable other users .So , how can i exploit other users ? I was thinking about it and about 15 minutes later , I noticed that they were provided to fill wallet address in two ways Copy / Paste Scanning QR image What happens if an attacker encode his xss payload as QR image and send it to victim to transfer money ? I encoded my payload like that And then I scanned my qr code and payload was automatically executed then pop up alert . That is enough to exploit other users coz there is no need user action to execute payload and encoded QR image can't visible as plaintext. I quickly wrote report and reported to security team.They triaged my report and awarded $300 bounty for my finding. :") Thanks for reading……. Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories