Skip to main content
Menu

PayPal Stored XSS using XML file upload

Hey Guys,

Today I’m going to share one of my interesting Stored XSS vulnerability found on PayPal Site using XML file upload.

PayPal allows the users to create an invoice and send to the other users. Also allow attaching the file into invoice. So I started trying to upload file with different types of extensions and found that PayPal allows users to upload XML formatted file.

So the next steps I've tried for XXE vulnerability but no luck which makes me happy. After couple of test cases I've applied, but not found any interesting things to make this vulnerable.

I've noticed that if we upload XML file with script tag, which is working perfectly.

<?xml version="1.0" encoding="UTF-8"?>
<Query>
<SearchTerm>
<script xmlns="http://www.w3.org/1999/xhtml">
alert(document.cookie);
</script>
</SearchTerm>
</Query>

Now next steps to exploit!

The exploitation of the bug is very easy. In order to does this attack, create an invoice with xml file and send to victim. When victim open the attached xml file, the script run into his/her browser.

I've reported to PayPal security team and the bug was valid. After the fix PayPal team rewarded me with Bounty under PayPal BugBounty program.