Razer: Reflected XSS at https://pay.gold.razer.com escalated to account takeover

2019-10-25T22:40:13
ID H1:723060
Type hackerone
Reporter corraldev
Modified 2020-01-10T08:57:00

Description

Summary:

Due to the parameter err is injected to the body of the page without any sanitization a victim could be tricked to visit the page and get his account stolen.

Steps To Reproduce:

1.Visit the specially crafted url (Firefox | IE11) https://pay.gold.razer.com/Error/Uyt2ZXF0UjZLM0dvMHA4eUFHMDVoZEtrdWxjdzNTeTlYMnpLR0NiOVRmND0?err=%3Csvg%20onpointerenter=z=alert,zcorraldev%3E

2.Move your pointer around the center of the page, near of continue button. An alert should appears

Supporting Material/References:

{F618130}

Impact

Fortunately the WAF can evade most of the XSS payloads but with the bypass that i have used an attacker can execute scripts at a victim's session and take over his account, start a phising campaign and steal ( paypal accounts or credit card numbers ), force users to download malware, and a lot of advanced attacks.