Stored XSS in galleries - https://www.redtube.com/gallery/[id] path
State Resolved (Closed)
Disclosed publicly 2018-10-10T14:42:49.160Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty $1,500
Collapse
Summary by sp1d3rs

Stored XSS on the /gallery/ endpoint. Discovered in the day of public program launch.
Request interception was necessary.

Context:

<img src="..." alt="[injection]">

Sanitized characters:

<>

Payload:

"onload=[js]//

Similar to the #380204, but with different root cause.
Severity was set due to the factors such as: number of potential users affected, attack complexity, no user interaction vector, and possibility to steal sensitive information or bypass CSRF protection on the user's side.
I had previously some experience with triage team, so in this case it was enough to demonstrate simple popup, without complex payload.
Thanks to the team for great report handling and bounty!

Summary by sp1d3rs

Researcher successfully closed the image 'alt' attribute and injected javascript by intercepting the album creation request and submitting an XSS payload as the album title. This led to stored cross-site scripting on the user's album page, executed against any users who visited the album.

Timeline
submitted a report to Redtube .
2018-07-10T16:31:51.794Z

Regards,
Frans

  • 0 attachments:
sp1d3rs Activities::Comment
2018-07-10T20:54:23.633Z


dsimmons Activities::BugTriaged
2018-07-10T21:26:22.074Z


Activities::BountyAwarded
2018-07-24T16:21:01.240Z


ghooks Activities::BugResolved
2018-09-11T08:54:28.962Z


sp1d3rs Activities::AgreedOnGoingPublic
2018-09-16T23:48:21.567Z


dsimmons Activities::AgreedOnGoingPublic
2018-10-10T14:42:49.101Z


dsimmons Activities::ReportBecamePublic
2018-10-10T14:42:49.181Z