Reflected XSS Vulnerability leads to Credential Stealing worth $100
Hi! This is Rian with my very first bug bounty write-up.
I will describing How i found XSS Vulnerability by bypassing weak WAF Filter. Let’s jump into the story…
Back Story
Few days ago, i was very interested about penetration testing and bug bounty stuff, so i managed to reading articles about these, then i decided to tried it myself, in one time i found one company that opens bug bounty program for public pentester, due to the program rules i can’t tell the domain, but we can say it’s “vulnerable.com”, their bounty program scope was very large which covered all their subdomains “*.vulnerable.com”, after doing some manual recon and check all their functionalities in their main domain I found out
Jumping into the bug
That little search input kinda sus in the search page “https://vulnerable.com/search”
So I started to test it with parameter tampering and basic test for the vulnerability.
Payload
- test“
The search input didn’t display my payload on the interface, and the first thing i thought is go straight forward into the firefox developer tools, i found out that my payload is getting injected in the input tag, it looks like this
Vulnerability
<input value="test"" autocomplete="off" class="" type="search" name="term" placeholder="Search">
As you can see there is extra quotation next to my payload, which mean the WAF didn’t filter my quotation. Then i make some payload to see if it really vulnerable
Payload
- “><script>alert(document.domain)</script>
- %22+onfocusin=%22alert(document.domain)%22+autofocus+%22
As soon i injected these payload I’m getting caught by the WAF
After sometime trying to figure out “What are those character they didn’t do filter on”, create bunch of payloads and getting the same responses from the Firewall, in the end i managed to find a way to bypass it with my final payload.
Final Payload
- %22+onfocusin=%22alert%26lpar;document.domain)%22+autofocus+%22
And guess what?!
Website showed alert message saying its domain
After seeing this, I was like…
Impact
Attacker could use it to steal user credential by just sending a link to a victim with specific payload like “document.cookie” and any other credential in the website, also can have a full access to the victim’s account.
Immediately I reported it to their security team, after a while they responded to my report, they said they able to reproduce my bug, and ask me to give them sometime for fix it, after they fixed it they asked me to reproduce the bug again, and yeah it didn’t work, it finally fixed, they gave me $100 bounty for this bug, I was very happy since it my first valid bug (i did found any other bugs but always marked as duplicate in other companies).
So that is little story about my first bug bounty, hope you enjoyed it, And yeah see you in the next bug bounty write-ups
Cheerss….!!!
