Exploiting XSS in POST requests on semrush.com

Recently, I’ve found something new for me , and I found this on www.semrush.com some bug bounty program on hackerone  . And it’s first time I’ve found XSS on hackerone program. So, This is the story.

While I’am looking around on semrush.com , try to one page and another page, put some payload on all field, and end on page https://www.semrush.com/my-posts/  this page is can be post something, and you able write everything you want. I try to put some xss payload on the field , but nothing happen.

Then, I try to upload some image, And the interesting time begin. I try to upload malicious filename on that page. It’s looks like this.

I take a long time to analyzing the request and response when I upload some image, but after a cup of coffee, help me to focus, and I notice the parameter CKEditorFuncNum on request is reflected on response. I try to write some text and see the result, is reflect on response

After know is reflected , I use payload XSS to trigger the XSS with payload like this : </script><script>alert(document.domain)</script> and it’s execute as script!.

After know this, I made simple HTML to execute this, and the code is like this :

<html>
  <body>
    <form action="https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=dadasd</script><script>alert(document.domain)</script>&langCode=en" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

And whenever user click Submit Request, The XSS will be fired UP!

This is mark as valid from semrush security team. It’s has been fixed very well. More Experience I Get.

You can visit on hackerone report : https://hackerone.com/reports/375352

Published by

apapedulimu

Urip Kui Urup

2 thoughts on “Exploiting XSS in POST requests on semrush.com”

Leave a Reply to fanskmau Cancel reply

Your email address will not be published. Required fields are marked *