{"id":148,"date":"2022-08-14T12:49:19","date_gmt":"2022-08-14T10:49:19","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=148"},"modified":"2022-09-07T09:09:00","modified_gmt":"2022-09-07T07:09:00","slug":"the-forgotten-api-and-xss-filter-bypass","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/","title":{"rendered":"The forgotten API and XSS filter bypass"},"content":{"rendered":"

On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload:<\/p>\n

<img src=x onerror=alert(1)><\/p><\/blockquote>\n

Nothing happened the user input was properly sanitized. I tried URL encoding, double URL encoding, and HTML entity encoding however nothing worked :(. The group URL was like:<\/p>\n

https:\/\/www.redacted.com\/members\/modules\/groupsV3\/<\/p><\/blockquote>\n

I thought\u00a0 – what if I change the groupsV3<\/em> to groupsV2<\/em> or groupsV1?<\/em> I didn’t expect much, however, I changed V3 to V2, and… it worked, the URL was valid but no alert box :(. There was some other filter in action – quotes, double quotes, and parenthesis were cut. Hmmm, there must be a way to bypass it. By googling for some time I found this payload:<\/p>\n

<img src=x onerror=setTimeout`alert\\x28document.domain\\x29`><\/p><\/blockquote>\n

It is based on template literal expressions.\u00a0 You can read about it here<\/a>. I used it in a forum post and.. it worked like a charm :). The alert box popped up.<\/p>\n

See you next bug :).<\/p>\n

Reward: \ud83d\udc55<\/p>\n","protected":false},"excerpt":{"rendered":"

On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,33,29],"tags":[],"class_list":["post-148","post","type-post","status-publish","format-standard","hentry","category-bez-kategorii","category-vdp","category-write-up"],"yoast_head":"\nThe forgotten API and XSS filter bypass - Bergee's Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The forgotten API and XSS filter bypass - Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-14T10:49:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-07T07:09:00+00:00\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"The forgotten API and XSS filter bypass\",\"datePublished\":\"2022-08-14T10:49:19+00:00\",\"dateModified\":\"2022-09-07T07:09:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\"},\"wordCount\":203,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"articleSection\":[\"Bez kategorii\",\"vdp\",\"write-up\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\",\"url\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\",\"name\":\"The forgotten API and XSS filter bypass - Bergee's Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"datePublished\":\"2022-08-14T10:49:19+00:00\",\"dateModified\":\"2022-09-07T07:09:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The forgotten API and XSS filter bypass\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee's Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The forgotten API and XSS filter bypass - Bergee's Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/","og_locale":"en_US","og_type":"article","og_title":"The forgotten API and XSS filter bypass - Bergee's Stories on Bug Hunting","og_description":"On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double...","og_url":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/","og_site_name":"Bergee's Stories on Bug Hunting","article_published_time":"2022-08-14T10:49:19+00:00","article_modified_time":"2022-09-07T07:09:00+00:00","author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"The forgotten API and XSS filter bypass","datePublished":"2022-08-14T10:49:19+00:00","dateModified":"2022-09-07T07:09:00+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/"},"wordCount":203,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"articleSection":["Bez kategorii","vdp","write-up"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/","url":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/","name":"The forgotten API and XSS filter bypass - Bergee's Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"datePublished":"2022-08-14T10:49:19+00:00","dateModified":"2022-09-07T07:09:00+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/the-forgotten-api-and-xss-filter-bypass\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"The forgotten API and XSS filter bypass"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee's Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=148"}],"version-history":[{"count":8,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":177,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/148\/revisions\/177"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}