{"id":122,"date":"2022-11-27T12:31:00","date_gmt":"2022-11-27T05:31:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=122"},"modified":"2024-12-14T13:41:37","modified_gmt":"2024-12-14T06:41:37","slug":"post-based-xss-on-domainesia","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/post-based-xss-on-domainesia\/","title":{"rendered":"POST-based XSS on DomaiNesia"},"content":{"rendered":"\n

DomaiNesia<\/strong> is a company that offers domain registration, web hosting, VPS, and other related services. In this report, I\u2019ll be sharing the details of a POST-based XSS<\/strong> vulnerability I discovered on their website.<\/p>\n\n\n\n

I spent a few minutes thoroughly browsing the website, checking different pages, URLs, and parameters, and testing various inputs in forms. Eventually, I came across a potential vulnerability on the following page:<\/p>\n\n\n\n

Page URL:<\/strong><\/p>\n\n\n\n

https:\/\/www.domainesia.com\/konfirmasi\/<\/code><\/pre>\n\n\n\n
On this page, there were input fields for “Payment Confirmation”<\/strong> as well as a file upload field. I decided to focus on the file upload functionality.<\/p>\n\n\n\n
Step 1: File Upload Test<\/h4>\n\n\n\n
I uploaded a file named img.jpg<\/code> and received the following response:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
<img<\/span> <\/span>id<\/span>=<\/span>'<\/span>previewImage<\/span>'<\/span> <\/span>src<\/span>=<\/span>'<\/span>https:\/\/files.domainesia.com\/bukti-pembayaran\/2019-10-14-94638-img.jpg<\/span>'<\/span> <\/span>alt<\/span>=<\/span>'<\/span>Payment Proof<\/span>'<\/span> <\/span>width<\/span>=<\/span>'<\/span>100<\/span>'<\/span>><\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
At this point, I decided to test the behavior when adding special characters in the filename. Specifically, I tried inserting a single quote ('<\/code>) in the filename to see if it could break or close the src<\/code> attribute in the image tag.<\/p>\n\n\n\n
Step 2: File Name Manipulation<\/h4>\n\n\n\n
I renamed the file to img'.jpg<\/code> and received the following response:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
<img<\/span> <\/span>id<\/span>=<\/span>'<\/span>previewImage<\/span>'<\/span> <\/span>src<\/span>=<\/span>'<\/span>https:\/\/files.domainesia.com\/bukti-pembayaran\/2019-10-14-94638-img<\/span>'<\/span> <\/span>.jpg<\/span>'<\/span> <\/span>alt<\/span>=<\/span>'<\/span>Payment Proof<\/span>'<\/span> <\/span>width<\/span>=<\/span>'<\/span>100<\/span>'<\/span>><\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
As you can see, the single quote in the filename disrupted the src<\/code> attribute, which gave me an opportunity to inject a malicious payload.<\/p>\n\n\n\n
Step 3: XSS Payload Injection<\/h4>\n\n\n\n
Taking advantage of this, I tried injecting some XSS payloads<\/strong> in the filename. Here are the two payloads I used:<\/p>\n\n\n\n
    \n
  1. img'onerror='alert(document.domain)'.jpg<\/code><\/li>\n\n\n\n
  2. img'onerror='alert(document.cookie)'.jpg<\/code><\/li>\n<\/ol>\n\n\n\n
    When I uploaded these files, the payloads were executed as part of the onerror<\/code> event handler for the image. The server responded with a POST-based XSS<\/strong>, successfully triggering the JavaScript alerts.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Timeline:<\/h3>\n\n\n\n
      \n
    • October 14, 2019:<\/strong> Reported the bug to DomaiNesia<\/li>\n\n\n\n
    • October 14, 2019:<\/strong> DomaiNesia acknowledged and accepted the bug report<\/li>\n\n\n\n
    • October 14, 2019:<\/strong> DomaiNesia confirmed that the bug had been fixed<\/li>\n\n\n\n
    • October 14, 2019:<\/strong> DomaiNesia requested my account information<\/li>\n\n\n\n
    • October 16, 2019:<\/strong> A reward was sent<\/li>\n<\/ul>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      I\u2019m grateful to DomaiNesia for their prompt response and for rewarding me for reporting this issue.<\/p>\n\n\n\n
      #HappyHacking<\/p>\n","protected":false},"excerpt":{"rendered":"
      DomaiNesia is a company that offers domain registration, web hosting, VPS, and other related services. In this report, I\u2019ll be sharing the details of a POST-based XSS vulnerability I discovered on their website. I spent a few minutes thoroughly browsing the website, checking different pages, URLs, and parameters, and testing various inputs in forms. Eventually, […]<\/p>\n","protected":false},"author":3,"featured_media":150,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-122","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=122"}],"version-history":[{"count":1,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/122\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/122\/revisions\/126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/150"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}