Weird (im)possible XSS on error page

Home / Blog

Hello all,

This is my first write up.

I am not usually a person who does write ups, but wanted to start sharing some with everyone.

I was working on a private program, which I am not allowed to mention the name lets say test.com.

The error page was disabled on this website and it was kind of integrated in the website itself with a background and all even when trying to add something malicious it redirects you to another page. In test.com/test I was able to get an error ( Reflection Exception) which surprised me. I started searching for more information regarding this error found that some Researchers were able to inject html into it. How I found this error ? by adding extensions to the directories. Ex: test.com/test is the original page, I tested test.com/test.php or test.aspx and I got an error page. So I saw that I can manipulate the error pages error message to my own error message.

Doing that old trick , I have reported the bug but I got a reply from the program Security engineer that they are aware of this issue and it is not eligible for a bounty so they are going to close it as RTFS.

So I left the error page to check for something else, since I thought that this was an easy bounty and I was wrong. After a while , while testing I stumbled into the same error page. I tested for html injection which I forgot, I was able to inject html with the error message making the message BOLD or Underlined ,etc..

I did not want to report it, since I knew they are going to tell me “ We don’t see any impact”.

I started testing for XSS, I did everything in the book that can be done, tested a lot of payloads. It was very weird that the page was only responding to only specific tags and others are being ignored. I retested html and same thing happened.. when the tags are not accepted I am being redirected to the home page.

I started with XSS payloads with <img src= tags instead of every other tag and it reflected on the page with a small icon that shows that the photo is being imported but no photo was there, I figured that I was able to get an XSS here. Every payload I tried redirected me to home page. so I felt that I was back to the beginning and that made me crazy.

Finally , I removed test.aspx as mentioned and added the payload as a directory and ended the payload with .aspx

so the final payload as seen in the photo: %3Cimg%20src=%22’%22id=’%3Cimg%20src=%22%22%3E’onerror=alert(1).aspx

Got some bounty and learned something new!

Thanks

Posted in Blog by komradzs