- Title: Vulnerability with the way escaped characters in http://danlec.com style links are rendered
- Reported by: danelc
- Bounty rewarded: $5,000
- Web application URL: https://hackerone.com
- Description: Hackerone is a bug bounty and vulnerability co-ordination platform used by attackers to report vulnerabilities and bugs in web applications. It is a platform that hackers use to communicate the identified vulnerabilities to companies listed there. A typical Hackerone report has four fields:
CVSS Score:
Title:
Description:
Impact:
This report is about was an XSS vulnerability identified in the parsing of /while posting links in the Hackerone reporting form description used by attackers to report vulnerabilities. It was a rather simple vulnerability that resulted in stored XSS in the Hackerone reports. The vulnerability existed due to the reason that / characters were being escaped in the reporting forms and a character string could be created to execute XSS attacks via the reporting form.
For instance, if a user pasted a text string such as <http://<h1>test</h1>>, it would be rendered as http://<h1>test</h1>, resulting in http://test.
This would allow any attacker to inject arbitrary code, such as malicious JavaScript, unauthorized image files, JS-based keyloggers, and performing open redirects. Some of the examples are given in the following sections.