+92 303 800 1800   

Persistent XSS Vulnerability in Freelancer

Recently, Freelancer has announced a Bug Bounty Program. Details are available here: Freelancer Vulnerability Submission. Well, as Freelancer has newly announced the program to reward Security Researchers for Responsible Disclosure of Security Vulnerability in Freelancer.com, so I am damn sure that it would be vulnerable to many attacks as Security Researchers haven’t headed towards it yet.

However, simple and fastest vulnerability to find is Cross site Scripting aka XSS vulnerability in Freelancer. So I just did the following steps to successfully discover the hidden pop-up message.

1: I created a new project with my Account (as employer).
1-1:  I used payload in Project Description and details, but nothing happened and the worst that my project was declined by Freelancer, as it goes for approval first.
1-2:  I upgraded my account to Plus, where I had option of priority project, which could be posted immediately without any review first. So I created Test Project to find XSS Vulnerability in Freelancer. 
2: I created another Freelancer Account for the testing as a freelancer to submit proposals/ bids.
3: I submitted a bid from freelancer account(second account) using payload in description and message as well.

4: I checked freelancer’s message, who recently bid on the project. In Employer’s inbox, when I opened the message, I got the pop-up.
To re-test the vulnerability, I refreshed/reloaded that webpage. when I reloaded the page, the pop-up didn’t appear. So, I realized that the message field wasn’t vulnerable to Cross Site Scripting aka XSS in Freelancer, but then why my first message was successful to get the pop-up?
You got it! That’s Description Field, which was vulnerable to XSS in Freelancer.
Well, to find out this, I retracted/ cancelled my bid (as freelancer) from the project. And again submitted bid on same project, but this time, I slightly modified the payload in description, and a different one in message field while submission.

 

Then from employer Account, I moved mouse pointer to message box as shown in above image. A drop down messages list were appeared. I moved pointer to most recent message (That contained payload in Description). Another side box appeared that loaded the Bid Details (Description too, were in details). And Guess what happened next?
The Payload (that I used) is visible in Message field. Same payload was used in Description, and when the preview Bid Details loads the description field, the payload was executed, hence the pop-up appeared as described in payload.
Rewards: 300$ Reward, HOF, “The Hacker” Badge on Freelancer Profile and a T-Shirt from Freelancer.
© 2018. All Rights Reserved!