DEV Community

loading...

Sankaku Complex XSS

darkmage
Computer Science Tutor, Programmer, Gamedev, Hacker, Bug Bounty Hunter
・2 min read

first written January 19, 2019

This is, officially, my first recognized XSS bug that I've found. I am super excited because it basically confirmed that I am doing the right things in general and just need to be more patient about it. As they say, "everything is time" :)

So here I was, chilling in the morning, checking websites, and I decide to be a degen and visit my favorite animu/mango/hentai site, Sankaku Complex.

Sankaku has a long history of posting adult material on their website, and at some point implemented a simple disclaimer pop-over. I happened to notice that the URL that shows up in the bottom bar when you rollover the link was different and indicated a middleman URL with a redirect.

Right-click, copy link location. Paste in new tab. Such hacker, wow.

So, there IS a middleman!

https://www.sankakucomplex.com/mature-content-disclaimer/?then=

Basically, the "then" parameter is used to generate the Yes/No links on that page, which is crazy because it isn't being properly sanitized.

I played around for a few minutes until I broke the system and could observe some behavior. It is amazing how many things will break if you just try inputting a single double-quote and a greater-than character ">.

Turns out on that field, you can inject arbitrary HTML, including <script> tags!

The string "> is all it took to break the page.

However, the full payload could be as short as:

"><script>alert()</script>

https://www.sankakucomplex.com/mature-content-disclaimer/?then="><script>alert()</script>

The public disclosure date was 17 February 2019, and the report can be located at: https://www.openbugbounty.org/reports/726249/


If you need a Computer Science tutor, code reviewer, or just someone to pair program with, hit me up

Discussion (0)