Infogram: Stored XSS in the Custom Logo link

From Hackipedia
Jump to: navigation, search
Hackerone #282209
Target: Hackerone
Target Module:
Type: XSS
Payload: javascripT://https://google.com%0aalert(1);//https://google.com
Original: Link
CVE:
Archive Screenshot

Infogram allows a user to upload a logo to their account that will appear on all graphics created using their service. This logo can also be used as a link. There was some rudimentary checks to keep users from inserting malicious javascript links here.

sp1d3rs was able to bypass these checks, as he states in the ticket:

The javascript string was blacklisted, but using capital letter, i was able to bypass the filter. javascript:alert didn't work (looks like due to the protocol check - http:// became appended to the payload), but javascripT:// successfully bypassed the filter. Now, since it checks for the http[s] protocol, we can bypass it using comment:

javascripT://https://google.com%0aalert(1);//https://google.com

How To Perform

  1. Any time you are allowed to insert a link, try the javascript:alert(1) attack
  2. Keep in mind these bypasses used by sp1d3rs
    1. javascripT
    2. javascripT://%0aalert(1)
    3. javascript://https://%0aalert(1)