{"id":77,"date":"2021-05-31T02:46:00","date_gmt":"2021-05-30T19:46:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=77"},"modified":"2024-12-14T12:17:50","modified_gmt":"2024-12-14T05:17:50","slug":"stored-dom-based-xss-on-xiaomi","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/stored-dom-based-xss-on-xiaomi\/","title":{"rendered":"Stored DOM-based XSS on Xiaomi"},"content":{"rendered":"\n<p>Yesterday, I discovered a <strong>Stored Cross-Site Scripting (XSS)<\/strong> vulnerability on the <strong>Xiaomi Forum<\/strong> via <strong>Markdown<\/strong>. Today, I\u2019ve found another critical vulnerability: a <strong>Stored DOM-based XSS<\/strong> issue on the same platform. In this writeup, I will walk you through how I found this vulnerability and demonstrate how it can be exploited.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Posts:<\/h3>\n\n\n\n<p>For those interested, here\u2019s a related writeup on how I exploited an XSS vulnerability via Markdown on <strong>Xiaomi Forum<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/n45ht.or.id\/blog\/exploiting-xss-via-markdown-on-xiaomi\/\">Exploiting XSS via Markdown di Xiaomi<\/a><\/li>\n<\/ul>\n\n\n\n<p>To begin, I tried to post a thread on the <strong>Xiaomi Forum<\/strong> to see if the input fields were vulnerable to JavaScript execution. I filled out the necessary fields and submitted the thread.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"598\" height=\"279\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-1.png\" alt=\"\" class=\"wp-image-79\" style=\"width:506px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-1.png 598w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-1-300x140.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/figure>\n\n\n\n<p>After posting the thread, I immediately inspected the page source to identify any areas where JavaScript might be reflected or executed.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"437\" height=\"105\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-2.png\" alt=\"\" class=\"wp-image-80\" style=\"width:491px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-2.png 437w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-2-300x72.png 300w\" sizes=\"auto, (max-width: 437px) 100vw, 437px\" \/><\/figure>\n\n\n\n<p>In the source code, I found that the <strong>thread title<\/strong> was being displayed inside backticks (<code>`<\/code>), which is a template literal syntax in <strong>JavaScript<\/strong>. Upon further inspection, I realized that <strong>DOM-based XSS<\/strong> could be triggered in this context.<\/p>\n\n\n\n<p>The <strong>backquote<\/strong> (<code>`<\/code>) in JavaScript is part of <strong>template literals<\/strong>, and it allows us to embed expressions inside a string using the <code>${}<\/code> syntax. This means we could inject JavaScript functions directly into the thread title.<\/p>\n\n\n\n<p>Here\u2019s an example of how we can exploit this:<\/p>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"var abc = `dadada${alert(1)}`\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">var<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">abc<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">`<\/span><span style=\"color: #A3BE8C\">dadada<\/span><span style=\"color: #81A1C1\">${<\/span><span style=\"color: #88C0D0\">alert<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">}<\/span><span style=\"color: #ECEFF4\">`<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>In this example, the <code>alert(1)<\/code> function would be executed, displaying an alert box in the browser. This proves that any JavaScript function inside the <code>${}<\/code> syntax within backticks can be executed.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Now, I crafted a malicious payload that would execute an <strong>XSS attack<\/strong> when the thread title was displayed on the forum. The final payload I used was:<\/p>\n\n\n\n<p><strong>Payload:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"Hellooooooooooo${alert(1)}\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9\">Hellooooooooooo$<\/span><span style=\"color: #ECEFF4\">{<\/span><span style=\"color: #88C0D0\">alert<\/span><span style=\"color: #D8DEE9FF\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #D8DEE9FF\">)<\/span><span style=\"color: #ECEFF4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>By injecting this payload into the thread title, I was able to trigger the JavaScript execution as soon as the title was rendered on the page.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>When the thread was displayed with my crafted title, the <strong>XSS<\/strong> was successfully triggered. The alert box popped up, confirming that the vulnerability existed and was exploitable.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"533\" height=\"209\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-3.png\" alt=\"\" class=\"wp-image-81\" style=\"width:511px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-3.png 533w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-3-300x118.png 300w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><\/figure>\n\n\n\n<p>Here\u2019s the response I received from the Xiaomi Forum\u2019s server. The thread title was reflected back into the DOM without any sanitization or escaping, which allowed the injected JavaScript to execute.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"422\" height=\"90\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-4.png\" alt=\"\" class=\"wp-image-82\" style=\"width:502px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-4.png 422w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/writeup-xiaomi2-4-300x64.png 300w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/figure>\n\n\n\n<p>This <strong>Stored DOM-based XSS<\/strong> vulnerability in the <strong>Xiaomi Forum<\/strong> is a serious security risk because it allows an attacker to inject arbitrary JavaScript into the page, which can then be executed in the context of other users&#8217; browsers. This could potentially lead to various attacks, including session hijacking, phishing, or malicious actions.<\/p>\n\n\n\n<p>I\u2019ve responsibly reported this vulnerability to Xiaomi, and I hope they address it to improve the security of their platform.<\/p>\n\n\n\n<p>#HappyHacking<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday, I discovered a Stored Cross-Site Scripting (XSS) vulnerability on the Xiaomi Forum via Markdown. Today, I\u2019ve found another critical vulnerability: a Stored DOM-based XSS issue on the same platform. In this writeup, I will walk you through how I found this vulnerability and demonstrate how it can be exploited. Related Posts: For those interested, [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":78,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-77","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/77","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=77"}],"version-history":[{"count":3,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/77\/revisions"}],"predecessor-version":[{"id":113,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/77\/revisions\/113"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/78"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=77"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=77"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=77"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}