Stored XSS On Rediff Mail

Last updated on Jul 31, 2021 2 min read

Hi Guys, the other day I discovered a Stored Cross-Site Scripting (XSS) Issue on Rediff mail and also reported this issue to Rediff didn’t get any credit for it though :-)
They dropped me mail notifying me that issue has been addressed.
I demonstrate the Stored XSS issue.

But, First of all let’s understand what XSS basically means
XSS (Cross-Site Scripting)
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.

There are basically two types of XSS:

1) Reflected XSS Attacks

2) Stored XSS Attacks

So, Let  get started
This is an extremely critical vulnerability as the user data will be compromised just by visiting malicious user profile leading to execution of malicious script on the victim browser.

Here is a proof of concept of Stored XSS on Rediffmail :)

  • Hosted JavaScript File locally with following content:

“document.write (“Stored XSS " + document.cookie);alert (“cookie Value” + document.cookie);”

Hosted Local File

  • Parameter Affected: School and college combined.

Here is the tricky part of it.

The individual school and college parameter didn’t give XSS alert.

So I tried to combine both field by using following vector:

School:

/><SCRIPT SRC=“http://localhost/xss/xss.js”/*

College:

*/>

Step 1
\

  1. Saved the attack vector in his profile. As soon as the user visits attacker profile malicious script will be executed on his browser.

Cross Site Executed

Bingo!! Another Bug ;)
Hope you liked the post, many more bug bounty to come.
Once we get the acknowledgment of issues being fixed we will be sharing them with you..

Please feel free to comment.
Thanks and Happy Bounty Hunting

Original Article Posted On

https://www.avsecurity.in/stored-xss-on-rediff-mail-2/

Vinesh Redkar
Vinesh Redkar
Senior Security Researcher

Security professional with over 9 years of experience in the security domain across various industries such as Finance, Insurance, Telecom, and government