Reflective Xss in codepen.io

This time i thought to looking for the xss in the codepen.io ,so i created a account on codepen.io

There was a project page where user submit projects and you can comment on their project
so i thought at first glance why not look for xss as there is a comment box and there might be any escape char which will help me.

About Reflective xss:
it is a type of xss through which a attcker can leverage a client side attack using client side code which gets reflected in the page.

why this happens?
beacuse there is no proper santization in the place.

here is the poc:
1. go to https://codepen.io/<username>/project/details/AVGOPD/
2.add the following payload /*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"/-alert(1)//><img src=1 onerror=alert(1)>'
3.now change "src=1"with your image u wanna show like i did
3.now it reflects in the page as here in the image below

you can create a csrf with the reflective xss which leads to a popup "1" or whatever you payload is.

unfortunately i sended them the poc combined with csrf but unfortunately  they said it is not in scope.
so i released it.



Comments

Popular Posts