Redtube: Stored XSS on the[profile]/collections

ID H1:380204
Type hackerone
Reporter sp1d3rs
Modified 2018-10-10T14:56:36


Researcher successfully closed the image 'alt' attribute and injected javascript by submitting an XSS payload as the collection title. This led to stored cross-site scripting on the user's collections page, executed against any users who visited the user's collections. The user's favorites page was also affected if the collection featuring the payload was present. Stored XSS on the /users/<username>/collections and /users/<username>/favorites endpoints with same root cause. Discovered in the day of public program launch. Request interception wasn't necessary.

Context: <img src="..." alt="[injection]"> Sanitized characters: <> Payload: "onload=[js]// where [js] is any arbitrary javascript.

Severity was set due to the factors such as: number of potential users affected, attack complexity, no user interaction vector, and possibility to steal sensitive information or bypass CSRF protection on the user's side. I had previously some experience with triage team, so in this case it was enough to demonstrate simple popup, without complex payload. Thanks to the team for great report handling and bounty!