Bypassing XSS filter and Stealing User Payment Data

So here is another writeup about how I bypassed XSS filter and created a payload to get user credit card data. It was a private program on bugcrowd, let’s just say it was named Redact.

So by putting an “ I was able to break out of the input field, after that, I tried the most basic payload “><script>alert(1)</script>, but unfortunately my request was blocked by WAF. so I tried another payload “onmouseover=alert(1) and again my request was blocked by WAF.

As the page was using jQuery, I requested the whole payment data page with $.get() and posted the page content to my server with $.post(), so now with this payload, I was able to get users payment data:

But unfortunately, my report got duplicate.

Thank You for Reading.

Related posts:

Top 5 chatbots to use for online businesses, especially Shopify. Take a look at some of our top picks. Build customer loyalty, personalize customer experience and improve overall customer satisfaction with these bots.