Open in app

Sign in

Write

Sign in

XSS using a username

Sagar Sajeev
2 min readNov 14, 2022

--

Hey guys. I’m Sagar Sajeev

This is gonna be a short writeup explaining how I was able to trigger a XSS by trying a payload in the *last name* field .

Description

  • The target webapp did have some basic client side XSS protections, which were fairly easy to bypass.
  • Firstly, the WAF was filtering out the script tags (< , > ).
  • Secondly, it was filtering certain specific keywords (script, etc)
  • It’s easy to bypass client side restrictions. I just had to intercept the request and manually add the payload.

Steps to follow

  1. There was a signup page where you had to fill in all the basic stuff.
  2. The following payload was inputted in the last name field.

&lt;img src=x onerror=alert(document.location)&gt;

; which is just HTML encoded version of the following

<img src=x onerror=alert(document.location)>

3. Save the profile.

4. Whenever someone opens your profile, the payload will trigger.

Aftermath

  • Well, as you may all know, every bug should have a potential impact which must be explained in the POC.
  • In my case, this was not possible as the target website did not have any way for another user to access my profile (attacker’s account).
  • So ultimately, there was no impact. Thus my report was closed as informative.

>﹏<

*Note*

  • But hey, this may not be your case. If there was any way for another user to access your profile, this will be an easy P2 or P3 hit.
  • So you can test your target website accordingly, and if any such user-user interaction is indeed happening, then this can be a valid report.

Tips

  1. Depending on the scenario, it is possible to escalate the severity. I recommend that you to try the Portswigger XSS labs. When I started bug hunting, these labs helped me out a lot.
  2. If a payload doesn't go through the front end, try to encode it and try again. I have had success with this tactic.

Timeline

Submitted : 02–11–2022

Accepted : 07–11–2022

Resolved : 11–11–2022

I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.

LinkedIn : https://www.linkedin.com/in/sagar-sajeev/

Twitter : https://twitter.com/Sagar__Sajeev

Thanks for going through my writeup and I hope it was useful to you. I’ve made several other writeups on my Medium handle. Please do check those out as well.

Happy Hunting!

Bug Bounty
Bug Bounty Tips
Cybersecurity
Vulnerability
Hacking

--

--

Sagar Sajeev
Sagar Sajeev

Written by Sagar Sajeev

954 Followers
30 Following

18 y/o | Security Researcher | Bug Bounty Hunter

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams