Stored XSS: Non-Privileged User to Anyone Using QR Code

Prajit Sindhkar
3 min readOct 7, 2021

Hello guys👋👋 ,Prajit here from the BUG XS Team , recently I got a valid Stored XSS-P2 via QR Code on a Bugcrowd private program, in this write-up I will discuss how I found it. Hope you enjoy it 😉!

So first before jumping directly into steps, let me give you a short gist of Stored XSS for those who don't know.

What is Stored XSS?

Stored XSS aka Persistent XSS or Type-1 XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.

With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.

Moving Onto Main Find

So in one of the subdomain of the program I received, had a feature of styling a page of app by adding different features and styles.

Feature Page

In there in each and every section like “ Name” , “A little about yourself” etc I injected XSS Payload “><img src=x onerror=alert(document.cookie)>

Injected Payload

Now as I clicked on “Add Content” I got XSS Pop Up.

Payload Executed

But here as you can see, it has no get parameters or anything or not even share feature, which I could use to send this to other user, otherwise this is right now Self Stored XSS, which is a P5/no-impact vulnerability☹️.

So I started looking for ways with which I can increase the impact, or any methods I can send this page to other users, then the QR Code on the top right corner just caught my eye🧐, so I thought of testing it.

As soon as I scanned this QR Code it opened up a site, In which my XSS payload executed😍, so finally I have converted Self XSS to Non-Self XSS hance now P2 severity😈.

Non Self Executed XSS

Takeaway

Always when you get Self Stored XSS, try to increase impact with testing other available functionalities.

So this is all about this write-up, hope you liked it, if you found this informative, do not forget to clap👏 and do let me know if you have any doubts✌️. I am also planning a new series for a writeup which I will start soon, so stay tuned, and hit that follow button.

Thanks For Reading😊

Profile Links:

Twitter: https://twitter.com/SAPT01

LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/

Instagram: https://instagram.com/prajit_01?utm_medium=copy_link

BUG XS Official Website: https://www.bugxs.co/

--

--

Prajit Sindhkar

I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community