Menu

Blog

Story of Playstation(Sony) XSS

Hello all!!! Today i decided to share my finding of xss on subdomain of playstation. It was 1 year ago i think, i started hunting bug on sony websites and first i found directory indexing on [ https://blog.latam.playstation.com/wp-content/ https://blog.latam.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp-content/ https://blog.br.playstation.com/wp/wp-includes/ https://blog.br.playstation.com/wp-content/ https://rd.playstation.com/ ]

Then i reported to sony and they didn’t accept because they could not find any impact.I didnt understand why they said that :3 and i was like okay.Then I tried to dig more into the folders and found this page [ https://blog.latam.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html ]. I found Qunit 1.21.0 on the page and i decided to find exploit on google. Then i found this page.

There are two pocs and the 2nd poc shows that the parameter testId is vulnerable to xss.So i decided to give it a try.First i injected payload <svg onload=alert(1)> and waf filters it.Then i fuzzed a lot and at last boom! double url encoding bypass the waf.

So the POC link is [ https://blog.us.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html?testId=%25%33%63%25%37%33%25%37%36%25%36%37%25%32%30%25%36%66%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%33%64%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%65 ].

Then i reported the bug and they replied back after 3 months and rewarded a swag that was never shipped to me :V .

Thats my story of xss on playstation. Hope you like it. Thanks!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top