Hi everyone,
I found a XSS on the site while editing my own profile - all info are sent to JSON, and if there is present a "- it's esceped like this \". When I save the profile, I caught a request via BURP and remove this \ symbol, ie got his clean line "> <img src = x onerror = prompt (1)>, after which it was pop-up window that you have an error in JSON {full JSON} Well, after this message I got out XSS. Though the data and preserved, but after relogin to this page - XSS does not fulfill ...
The question is what can be done with such a strange XSS?
And one more interesting thing, during triggering this alert pop-up message - I cought POST report request https://host/report to server with a huge body (a lot different scripts, html tags etc..)
request body:
-----------------------------2391265022744
Content-Disposition: form-data; name="uri"
https://host/dashboard/business/profile
-----------------------------2391265022744
Content-Disposition: form-data; name="caller"
function onerror(event) {
prompt(2)
}
-----------------------------2391265022744
Content-Disposition: form-data; name="dom"
<script id="dashboard-navigation" src="/dashboard/navigation.js" type="text/javascript" async="true" data-global-interface="dashboardNavigation" data-app-id="dashboard" data-api-url="https://host "></script>
<div id="dashboard-navigation_container"><style>@media screen and (min-width: 1258px){
...
etc...
...
}
-----------------------------297832247625910
Content-Disposition: form-data; name="arguments"
2
-----------------------------297832247625910--
So, may I send some attack to the this server? Thank you!
3 Responses
any ideas? :)
Are you using the same web browser that you used when you found the XSS? If so is the payload still on the page (that it isn't injecting on), but being filtered?
Yes, and yes... mb I can upload to server some thing, or mb I can download some sensitive information.... Thanks.
Share Your Thoughts