Monday, 22 February 2016

Cross Site Scripting (xss) in Mozilla Addon site

I am Paresh Parmar
This is my first writeUp.

So lets start.
It was 2016-02-09 , i was reading blog of Ashar javed.

After reading that blog, i decided to test mozilla addons

i changed my user agent string to mobile :

Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0.

i started looking for XSS only. so i was checking addon review system.
For example:
here you can write review about particular Addon!

i added my payload in review

<img src=x onerror=alert(document.domain)>
And submitted review and bOom!!! XSS Executed.


reported this issue to
After reporting this issue i started Digging into this

as far as i know, we can bypass CSRF protection of that page via Xss .
There's three step to Bypass csrf Token using Xss:

1. First request the form
2. Extract the valid csrf token
3. and submit the form using the valid csrf token
here's super Example about XMLHttpREQUEST
Reference :

After Only 12 Hours, they confirmed this issue. and in just 2 days they fixed this Issue
here's commit

For regarding bounty i sent email to along with bugzilla report id and Another Poc ;)
After Few Days, i got this mail

here's Video PoC:

2016-02-09 13:35:54 PST - Report Sent

2016-02-10 07:10:17 PST - Confirmed

2016-02-11 08:53:31 PST - Fixed

2016-02-20 - Bounty Awarded 3000$

Special Thanks to Mozilla BugBounty/Bugzilla team.