IT-Securityguard Blog

[BugBounty] Papyal XML Upload Cross Site Scripting Vulnerability

| 3 Kommentare

Greetings readers, today i want to share with you one of my latest findings on Paypal.com.When creating an invoice Paypal allows the users to upload attachements for the invoices one attachement that they allow is a XML file. What the developer may missed here is that you can actually insert HTML into XML files, the namespace allowing this for XML files is called xmlns and a valid xmlns file would look something like this :

When i uploaded a file with this content and the ending.xml the intepreter on Paypals site executed the Payload (in this case the alert 1). To fullfill the requirements for a bounty you always have to make such a vulnerability exploitable and therefore a risk for other Paypal Users. In this case it was pretty easy, you could either way send the Link to this file directly (it doesn’t matter wether the user is logged in or not) or you send it with the Invoice and wait for the user to klick on it.

Here is the POC i sent in to the Paypal bug bounty team :

If you have have questions on this particular case please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com

All the best

Patrik

3 Kommentare

  1. great finding

  2. Wow! Nice job!

  3. Nice again

Schreibe einen Kommentar

Pflichtfelder sind mit * markiert.