Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Stored XSS Filter Bypass in the Skills section

Inspired by my recent post on LinkedIn, I’m excited to share my first-ever write-up on Medium. In this article, I’ll take you through my experience of finding a stored Cross-Site Scripting (XSS) vulnerability by getting around filters. Let’s dive into the details of my journey.

So let’s get started.

  1. Finding the Target:

I chose a target website and explored it as a regular user. After signing up and logging in, I checked out the different sections available to users with accounts.

2. Exploring the Vulnerable Section:

Among the options, I clicked on “Settings” and then “Profile Summary.” Here, I found a place where users could list their skills, which seemed like a good spot to test for an XSS exploit.

3. First Payload Attempt:

I began with a simple payload:

<script>alert(1)</script>.

After that, I opened my profile page which was publicly accessible at https://target.com/pub/[username], and saw everything was stripped off.

4. Trying Something More Advanced:

Not discouraged, I experimented with another payload:

<img/src=x onerror=alert(document.cookie)>

Unfortunately, the field had a character limit of 30. I dug into the HTML code and extended the limit to 300. Even with this payload, I only saw an image error, not the expected alert.

So, it is stripping suspicious things from my payload.

5. Using Encoding for Payloads:

Realizing the website was detecting and removing suspicious code, I started playing with payload encoding. I tried variations like

<img/src=x onerror=alert&#40;document.cookie&#41;>

but these attempts were unsuccessful.

6. Discovering a Clever Hyperlink Payload:

In my quest for a breakthrough, I tried a hyperlink payload:

<a/href=”javascript:alert(1);”>ClickMe

Unfortunately, this caused the page to redirect to a 404 error.

I was like:

7. Solving the Encoding Puzzle:

<a/href=”j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;document.cookie&rpar;”>

Cool! It didn’t strip alert now. But it didn’t work because of improper encoding. Let’s correct it:

8. Achieving Success:

Replaced: j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt (which was actually j a v asc ri pt)
With: j&#97v&#97script (javascript)

GOTCHA!

The final payload that worked was:

<a/href=”j&#97v&#97script&#x3A;&#97lert(document.cookie)”>ClickMe

Thanks for reading!! I hope you found it helpful. Please let me know whether you would like me to continue creating more write-ups like this or not.

Let’s connect on LinkedIn for more: LinkedIn Profile

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Bugbounty
Xss
Penetration Testing
Cybersecurity

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 18 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Krishna Kumar
Krishna Kumar
Follow

Written by Krishna Kumar

208 Followers
12 Following

Penetration tester | Bug Bounty Hunter

Follow

Responses (8)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech