Member-only story
So if you did not already read the part 1 here is the link
Description:
after the hot fix of the dev . they remove only the event handler that trigger the bug
Even if I used <script>, <img>, or any other payload outside the <svg> tag, it was automatically removed.
Wait… why did the developers do this? 🤔
So, <svg></svg>—anything outside of it was filtered, but not the SVG itself? That’s when I came across a bypass! :)
In this part, the onload inside the SVG was not filtered, so I was still able to steal other tokens.
Another fix they implemented was related to stolen tokens — you couldn’t use them easily. They added an additional validation mechanism on the cookies, so even if you retrieved the token from local storage, you couldn’t use it without the specific combination they implemented on the cookie.
Another stealing mechanism: I noticed that the cookie didn’t have the Secure flag, meaning it could still be stolen via XSS. So, I quickly integrated this into my code and exploited it again
here is the video poc: https://youtu.be/bUWiQzhEmhQ?si=M9XeT-LvSQIkA2nO
I quickly reported this bug again and they entirely encode the tag <>. And they reward another 3500 usd :).
