Weird (im)possible XSS on error page

Hello all,

This is my first write up.

I am not usually a person who does write ups, but wanted to start sharing some with everyone.

I was working on a private program, which I am not allowed to mention the name lets say test.com.

The error page was disabled on this website and it was kind of integrated in the website itself with a background and all even when trying to add something malicious it redirects you to another page. In test.com/test I was able to get an error ( Reflection Exception) which surprised me. I started searching for more information regarding this error found that some Researchers were able to inject html into it. How I found this error ? by adding extensions to the directories. Ex: test.com/test is the original page, I tested test.com/test.php or test.aspx and I got an error page. So I saw that I can manipulate the error pages error message to my own error message.

Doing that old trick , I have reported the bug but I got a reply from the program Security engineer that they are aware of this issue and it is not eligible for a bounty so they are going to close it as RTFS.

So I left the error page to check for something else, since I thought that this was an easy bounty and I was wrong. After a while , while testing I stumbled into the same error page. I tested for html injection which I forgot, I was able to inject html with the error message making the message BOLD or Underlined ,etc..

I did not want to report it, since I knew they are going to tell me “ We don't see any impact”.

I started testing for XSS, I did everything in the book that can be done, tested a lot of payloads. It was very weird that the page was only responding to only specific tags and others are being ignored. I retested html and same thing happened.. when the tags are not accepted I am being redirected to the home page.

I started with XSS payloads with <img src= tags instead of every other tag and it reflected on the page with a small icon that shows that the photo is being imported but no photo was there, I figured that I was able to get an XSS here. Every payload I tried redirected me to home page. so I felt that I was back to the beginning and that made me crazy.

After doing a lot of tests, I found out that when I am adding the whole payload Ex: <script>alert(1)</script> it is redirecting me to the home page or an error page which was used by the web admin to detect malicious codes in the website, but what the admin did not know, is that he had some kind of a misconfiguration that I was able to inject any malicious payload without closing the tag Ex: <script>alert(1) the tag is being closed. and Yes, I even tried to start the payload with “><script>.. tried alert , onerror, and all..

Finally , I removed test.aspx as mentioned and added the payload as a directory and ended the payload with .aspx

so the final payload as seen in the photo: %3Cimg%20src=%22'%22id=’%3Cimg%20src=%22%22%3E’onerror=alert(1).aspx

Got some bounty and learned something new!

Thanks

twitter: komradz86