Member-only story
Lets dive directly on the bug so your reading time will not be wasted.
Discovery:
I was gambling with some extra money just for fun. As usual, I placed bets at the casino while exploring some extra functionality. Then, my hacker instinct kicked in — why not try to hack this platform and abuse it?
I first checked the deposit process, and they seemed to perform some manual checks. I tried embedding a blind XSS payload, but it didn’t work. So, I moved directly to the profile upload section.
Normally, I would just upload a regular PNG file. This time, I changed the content to an SVG payload, and it gave me the expected output. so i try to create a popup
and it gives me a alert(1). ok now we confirm its vulnerable to xss via svg fileupload so how can we steal the user session?
Exploit:
I quickly check the how the session was stored. so the first thing was on the cookies. when i check the cookies it has an empty . no session found then i check the local storage and to my surprise they store the token to local storage and it has a value of x-user.
now i craft my malicious code to steal the other session
