Hi Guys, the other day i discovered Stored XSS Issue on Rediff mail and also reported this issue to Rediff didn’t get any Credit for it though 🙂
They dropped me mail notifying that issue has been fixed.
I demonstrate the Stored XSS issue.
But, First of all let’s understand what XSS basically means
XSS (Cross-Site Scripting)
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
There are basically two types of XSS:
1) Reflected XSS Attacks
2) Stored XSS Attacks
So, Let get started
This is an extremely critical vulnerability as the user data will be compromised just by visiting malicious user profile leading to execution of malicious script on the victim browser.
Here is a proof of concept of Stored XSS on Rediffmail 🙂
- Hosted JavaScript File locally with following content:
“document.write (“Stored XSS ” + document.cookie);alert (“cookie Value” + document.cookie);”
- Parameter Affected: School and college combined.
Here is the tricky part of it.
The individual school and college parameter didn’t give xss alert.
So i tried to combine both field by using following vector:
School:
/><SCRIPT SRC=”http://localhost/xss/xss.js”/*
College:
*/></SCRIPT>
3) Saved the attack vector in his profile. As soon as the user visits attacker profile malicious script will be executed on his browser.
Bingo!! Another Bug 😉
Hope you liked the post, many more bug bounty to come.
Once we get the acknowledgment of issues being fixed we will be sharing them with you..
Please feel free to comment.
Thanks and Happy Bounty Hunting
Leave a Reply
Your email is safe with us.