What is Detectify?

Stored XSS-ing Millions Of Sites Through HTML Comment Box

January 18, 2017

Our guest blogger and Detectify Crowdsource hacker Karim Rahal explains how he discovered and reported stored XSS vulnerability that affected over a million of websites.

The Story

My friend Ibram Marzouk found a Stored XSS vulnerability inside PasteCoin and it affected the comment sections all around the website.

He later shared the following XSS payload he used:

“/>.<<img src=x onerror=alert(1)//\"&gt;>&lt;&gt;

Stored XSS in millions of sites


It seemed to be very fancy and confusing, and after some tinkering I was able to reduce it to the following XSS payload:

“>><<img src=x onerror=alert(1);//>>

Which is an “Extraneous open brackets” type of payload according to Owasp.

A couple of months later, I stumbled upon an article about creating a comment box for your own website. The comment box they used seemed very familiar and it looked exactly like the one that was vulnerable to Stored XSS at PasteCoin.

Stored XSS through html comment box

I noticed that there was a watermark under the comment box saying “by Html Comment Box”, and found out the comment section was a 3rd party that websites could embed.

I tried the XSS payload that was reduced from Ibram’s original payload on PasteCoin, and it successfully executed!

XSS through html comment box

I then embedded Html Comment Box locally, and the payload also executed.

Breaking The Payload Down

According to the developer, his filter against XSS would analyze the open and closing tags of the XSS payload and check the properties specified within the tags. The filter would then block the properties specified.

The following payload was used to bypass the filter:

“>><<img src=x onerror=alert(1);//>>

The open and closing tags filter was bypassed using double “greater than (>)” and “lower than (<)” tags. In addition, the filter that checks the attributes used was bypassed by closing the attribute with a “semicolon (;)” and the double “slashes (//)” would comment out the javascript.

Credits to Franz Sedlmaier for the filter bypass explanation submitted on Owasp.

The Impact

Curiously, I used a simple Google dork to find out how many websites used the 3rd party comment section.

Stored XSS through html comment box

I was astonished! About 2,000,000 results were displayed!

The Resolution

I wasn’t able to get the developer’s contact information for a while until Detectify invited me to its new Detectify Crowdsource program.

I quickly reported the Stored XSS vulnerability to the Detectify Crowdsource program and Detectify was able to provide me with the contact information of the developer.

Thankfully, the security flaw that affected millions of websites was fixed within a couple of hours after an email was sent to the developer.

Are you interested in joining Karim and other security researchers on Detectify Crowdsource?  Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we explain what we look for in a Detectify Crowdsource hacker .

Karim Rahal

Karim Rahal

14 Year Old Security Researcher

Ibram Marzouk
14 Year Old Security Researcher