Stored XSS Vulnerability in H1C Private site

Hello Friends,
Recently, I found an interesting stored XSS vulnerability in private site.
It was not easy, means difficult to exploit.
The private site has a feature which allows users to create or start email campaign for email marketing.
After login to the website account, I just started email campaign and send an email from my website account to my personal email address.
Next, I received that email(send via campaign) to my personal email, I just reply to that email.
The reply was received in my account inbox of that website.
So, I try to reply or send an email with html tag like Hello <b>Hack</b> but I received the same reply Hello<b>Hack</b> in inbox of that website account.
Next, I understand that we can't send HTML scripts from Gmail, Yahoo mail etc.
So, I just copy that 'reply email' and visit fake email sender and send an email in HTML and I received that message in inbox of website account and the HTML scripts got executed.
I try to find XSS vulnerability and send mutliple XSS payloads but my scripts was not executed.
I believed that it's vulnerable to XSS but my scripts was not executing.
Finally, I found the payload
<img src="/" =_=" title="onerror='prompt(1)'">
I just send an email from fake email sender to copied 'reply email' with the above payload, the script got successfully executed in my account inbox of that site and XSS fire in Firefox browser.
I know it's very complex and difficult to understand.
Attack Scenario:
Victim login to his account, creates or starts Email Campaign means start Email Marketing and send to no. of emails.
Attacker receives an email and click on reply and copy the 'reply email' then
attacker visits fake email sender and send email or reply with malicious scripts
to that email through fake email sender.
When Victim login to website account and visits the inbox, malicious scripts got executed.

I reported this finding, they accepted my report and rewarded me a $900 bounty.
Apologies for typo errors and mistakes.
That's all Folks!
Comments
Post a Comment