Stored XSS in the guide's GameplayVersion (
State Resolved (Closed)
Disclosed publicly 2019-01-07T20:03:56.643Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty $750

submitted a report to Valve .

Hi, team!

The beginning of this issue looks like my previous report #369043, but this one will be much more interesting :) So let's go!

Steps to reproduce:

1) Open dota2 client and create new simple guide with XSS in the name.

2) Publish this guide on steam.

3) Now go to the Fiddler app and look at the request from dota2 client:

The XSS script placed in the title, the title displays a safe HTML on the site, so, for now nothing terrible happens.

4) Next I write some piece of code in the Fiddler app:

if (oSession.uriContains("/cloud/CB/")) {
    var strBody=oSession.GetRequestBodyAsString();       

So I transfer the XSS script from "Title" to "GameplayVersion". I decided to go this way, since in this case the content length of build's file does not change and it successfully passes the hash sum comparison.

5) Now we return to the dota2 client, click "Edit" and change anything in the our build and publish it again. And we see that the PUT request was successful and the XSS data in it is arranged the way we wanted:

6) Next i follow to the Dota2 Workshop Manager.

And here we see our public file ID. This connection with the public guide files I was found in the preparation of the previous report, but I did not know how to apply it (before today).

7) Put this FileID into a link below and we get the public infected page:

And the result in the latest versions of Firefox and Chrome:

Sincerely, @mvc


As on any cross-site-scripting vulnerability. The top line would be that the attacker might steals cookies to abuse users session.


doggos Activities::Comment
Hi @mvc, Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @doggos

doggos Activities::BugTriaged
Thank you for your submission! Your report has been validated, and it has been submitted to the appropriate remediation team for review. They will let the HackerOne triage team know the final ruling on this report, and if/when a fix will be implemented. The HackerOne triage team will follow-up after the remediation team has assessed the impact of this report. Please note that the status and severity are subject to change.

doggos Activities::ReportSeverityUpdated


jacobu Activities::BugResolved
Thanks for the report! We have deployed a fix to our production systems. Please let us know if you are still able to reproduce the issue.

mvc Activities::Comment
Hi, team! Can we full disclose this report?

mvc Activities::AgreedOnGoingPublic

mvc Activities::Comment
Hi, team! There are some problem with disclosure of this report? Third month after my request...

bgilmore Activities::AgreedOnGoingPublic

bgilmore Activities::ReportBecamePublic