El Mehdi
928 posts
El Mehdi
@elmehdimee
Joined July 2023
- I published a blog post about two XSS vulnerabilities I found in Excalidraw that were affecting Meta.
- Found a page with an onmessage tracker that redirects users without scheme validation. It verified messages from a trusted iframe, but missing X-Frame-Options let me iframe the target page, swap the trusted iframe’s location inside it with mine, bypass validation, and achieve XSS
- Replying to @Rhynorater and @asad_anwar90I found before that parser converting [ to /[, and with that, I was able to bypass OAuth redirect_uri validation elmahdi.tistory.com/4
- don't forget to disable ad blocker extensions if you're searching for postMessage vulnerabilities
- Replying to @elmehdimeeFound XSS in UserWay’s widget because they replaced a tag href without validating the scheme, but only for a tags with data-uw-original-href. The issue? No such tag existed, and they used querySelectorAll('a[data-uw-original-href="originalHref"i]') with originalHref from message
- Replying to @elmehdimeeSince originalHref wasn’t validated, I injected \"],a,d[d=\"d to break the query and append a new selector. This made querySelectorAll return all <a> tags, letting me set correctionHref to javascript:alert(1), replacing all links and leading to XSS
- Replying to @GhiffariZaid @696e746c6f6c and @bxmbnIf you're unable to bypass CSP, you can still steal saved credentials in the browser by setting up a form with some CSS and <br> tags, unless there is a form-action restriction
