Posts

Showing posts from October, 2020

Unexploitable CORS can lead to Stored XSS?

Image
Heeeeeeey guys, this is the last bug I found but I liked it so I wanna share the idea with you let's go. Find CORS our target here is a private program on HackerOne so let's call it example.com, this website almost all endpoints is vulnerable to CORS 😂, I found a CORS in an endpoint which changing my name but the response didn't include private information to steal so it was unexploitable. Find Self-Stored XSS I spent hours testing the application and I found an interesting thing one of the endpoints display the current user's information in JSON format but the issue here is the Content-Type of the response is text/html and this is the first WOW, I looked to this information and I found that there is a parameter include the name of the user so I can change it and this is the second WOW, I get back and add an XSS payload on the name, after saving the payload I opened the endpoint and as expected the payload executed, and this is an example of the endpoint path http://e