DEV Community

darkmage
darkmage

Posted on

Sankaku Complex XSS

first written January 19, 2019

This is, officially, my first recognized XSS bug that I've found. I am super excited because it basically confirmed that I am doing the right things in general and just need to be more patient about it. As they say, "everything is time" :)

So here I was, chilling in the morning, checking websites, and I decide to be a degen and visit my favorite animu/mango/hentai site, Sankaku Complex.

Sankaku has a long history of posting adult material on their website, and at some point implemented a simple disclaimer pop-over. I happened to notice that the URL that shows up in the bottom bar when you rollover the link was different and indicated a middleman URL with a redirect.

Right-click, copy link location. Paste in new tab. Such hacker, wow.

So, there IS a middleman!

https://www.sankakucomplex.com/mature-content-disclaimer/?then=
Enter fullscreen mode Exit fullscreen mode

Basically, the "then" parameter is used to generate the Yes/No links on that page, which is crazy because it isn't being properly sanitized.

I played around for a few minutes until I broke the system and could observe some behavior. It is amazing how many things will break if you just try inputting a single double-quote and a greater-than character ">.

Turns out on that field, you can inject arbitrary HTML, including <script> tags!

The string "> is all it took to break the page.

However, the full payload could be as short as:

"><script>alert()</script>

https://www.sankakucomplex.com/mature-content-disclaimer/?then="><script>alert()</script>
Enter fullscreen mode Exit fullscreen mode

The public disclosure date was 17 February 2019, and the report can be located at: https://www.openbugbounty.org/reports/726249/


If you need a Computer Science tutor, code reviewer, or just someone to pair program with, hit me up

Top comments (0)