Open in app

Sign in

Write

Sign in

Interesting Stored XSS

Faizan Elahi
3 min readFeb 20, 2022

Hey there! My name is Faizan and this write up is about an interesting Stored XSS I found earlier today!
If you know what an XSS aka Cross Site Scripting is you may skip to the Methodology

What is an XSS?
An XSS (Cross Site Scripting) is a type of Vulnerability where an attacker can inject their own javascript code, making the application think its their own written code and ultimately using it for malicious purposes such as: Stealing their session cookies, credentials, Credit card information, and much more.

What does it mean by Stored XSS?
When the attacker is capable of permanently storing his/her malicious payload/javascript code inside the application server.

Methodology:

Recently I was working on a private program lets say redacted.com
I was playing around with its requests in Burp suite and I noticed something strange in redacted.com/somedirectory/file.html.
I usually insert random strings and see if it is reflected or not and usually look for input tags and try to guess by input id parameter name etc.
While looking for input fields I saw a script tag which looked something like,

<script type=”text/javascript” src=”https://another_redacted.com/some_directory/some_child_directory/file.js”></script>

And I was like:

hmm!!!

I opened this URL from the src attribute in new tab and what happened was unexpected!
It threw an error! “Page does not exist!”

YAYY!!!!!

Now what?

I quickly went to https://www.namecheap.com/domains/registration/results/?domain=another_redacted.com

Where I found that the domain was available for sell.

Have you guessed it already?
Well if not! I can purchase this domain and create the same directory in the domain, make a file.js and write my own payload i.e. alert(document.cookie)
As simple as that now if you open this domain: https://another_redacted.com/some_directory/some_child_directory/file.js it will no longer say “Page does not exist!” as you own it and have your payload inside it.

As the application was loading this URL in redacted.com/somedirectory/file.html. its src attribute will load my newly purchased site containing the malicious code. Any user visiting the application will be victimized by this stored XSS.

Hope you learned something new! if you have further suggestions please leave a comment below :)
-Faizan

Bug Bounty
Bug Bounty Tips
Bugcrowd
Xss Attack
Xss Vulnerability

--

--

Faizan Elahi

Written by Faizan Elahi

134 Followers

Security Researcher| Bug-crowd | Synack SRT member

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams