Stored XSS via Invite leading to Account Takeover at Opera.
Hey Guys!! I am Samrat Gupta aka Sm4rty, a Security Researcher and a Bug Bounty Hunter. I hope everyone is safe in the Current Covid-19 Pandemic Situation. I am back with another Blog. Hope you will learn something new today.
So, It is a story of Stored XSS which I recently found at yoyogames.com which is one of the domains of the Opera BugBounty Program. Let’s get started.
What is Stored XSS?
Stored XSS, also known as persistent XSS, is the more damaging of the two i.e. Reflected or DOM-based. It occurs when a malicious script is injected directly into a vulnerable web application is stored in the server, which can therefore be more impactful.
How I found Stored XSS at Opera?
It was a month before I was hunting at Opera. I picked the domain yoyogames.com which was in the scope of the Opera Program at BugCrowd.
At first, I begin with initial Recon i.e. subdomain enumeration, port scanning, screenshot, and running Nuclei. Then I thought of exploring the features as a normal user.
In the application, I found a function where user can create a publisher. So, I randomly tried an XSS payload </h4><script>alert(document.cookie)</script> at the Name parameter of the publisher. As Expected, Nothing happened and XSS didn’t trigger.
Then I further explored the application and found a feature, Where I was able to invite other users to access the publisher which I just created. So, I created a second account on the website.
From the First Account, I just invited the second Account to the publisher. And From Second Account, As I clicked ‘accept’ on Invitation.
BOOM!! XSS Triggered.
Again I tried the same steps and Instead of accepting the Invite I clicked on ‘decline’ and say what XSS triggered again.
So, I got too excited and Just reported it to the Program. But unfortunately, I was a bit late. Before me, someone had already reported the vulnerability and All I got was a duplicate. But still, I learned a lot.
- When the XSS payload doesn’t trigger at one place, It doesn’t mean that It is not vulnerable.
- Try every endpoint where the parameter is reflected.
- Don’t Give up at one attempt, Try to dig deeper.
Here is the POC link: https://youtu.be/uoIaAlF1CG0