In this post, I will share some writeups on the free challenges in BugBountyHunter platform. I encourage everyone to check out the site https://www.bugbountyhunter.com/.
Cross-Site Scripting in Image Tag
How does the feature works? If you select the dropdown option, the image will be rendered with special effects using CSS. In the
img tag, we can see the selected option value will appear in
What could go wrong? The POST request looks suspicious.
There is no server side validation of the imageClass value. You can send any value and it will be reflected in the response.
We can try sending a few payloads to test for XSS issue. First, we can modify the imageClass value to
imageClass=helloworld" onload="alert(1)". The response return a
class="1" in the tag. We can try
imageClass=helloworld" onclick="alert(1)". The response also return
class="1" in the tag.
It seems like there is some blacklisting of some keywords such as onload or onclick etc. Hence we need to find the event handler method that is not blacklisted. Fortunately, this payload was not blocked:
When we click on the image in the browser, the malicious script is executed.