XSS through base64 encoded JSON
This is one of my very interesting and unexpected finding while testing an Application Tracking System.
Let the target be target.com and there was only one subdomain in scope let us call that sub.target.com. Now whenever you visit sub.target.com it would redirect to sub.target.com/members/index.php and after logging in the base URL would be like sub.target.com/members/modules/.
So I did some basic walking of the application and couldn’t find anything worthwhile for almost a week but then i thought to fuzz and not just the base URL mentioned above but this sub.target.com/ using common php file names wordlist and found an interesting endpoint sub.target.com/i.php that looked like:
We can see an GET base URL parameter at bottom of the page called “settings” which seems to take base64 encoded JSON lets verify:
Cool, now lets try to enter some HTML in some of the value in decoded JSON and the encode it back to base64:
Now we use the base64 encoded value of above JSON in the URL into settings parameter to get the XSS pop-up: