Weaponizing XSS Attacking Internal System

Weaponizing XSS Attacking Internal System




                              Courtesy of BruteLogic ❤

Few week ago I was talking to a friend of mine when he gave me a subdomain that had an admin panel and asked me weather I could find a way to get inside, Why not give it a try.




So I stared my recon by doing Directory Scanning , Checking SQL injections , Checking if there is some vulnerable libraries and finally




Shit but I was curious to know more about it and I went to GOOGLE and searched for the company and gathered more info about the company even gave a connection request to the CTO via LinkedIn (we will get to the CTO in a minute)
While looking at the company website I saw a support panel where I can submit tickets somewhere in my head I was having a voice saying its vulnerable and I should test it.
Hmm May be a Blind XSS so i went to my XSSHunter account and copied the payload and submitted the request I never had any hope of having a successful execution but the next day I logged in to my account to check if it was executed and BOOM .




I was able to grab the cookie of the user which I was able to impersonate and gain a valid session Boom inside Internal System.




I registered an new account and submitted a Responsible Disclosure
After a Day I was greeted with one of the best messages that Ive ever got




This mail was actually by the CTO of the company a really cool guy who rewarded me for my finding.

Comments

Post a Comment

Popular posts from this blog

From Hunting for a Laptop to Hunting down Remote Code Execution

Image
Write-Up By Anil Tom It was another ordinary day that I came home from office and was chatting with my roommates, when one of my friends called up and told he wanted to buy a new laptop and needed some suggestions. So I went online and began hunting for laptops that met his requirements. I was reading about one of the Asus RoG models, when suddenly the Bug Hunter in me woke up and I asked myself why I shouldn’t Recon the Asus website. So I began my recon of the website, and spent a whole night looking for a bug on their main domain and did not find anything… The next day morning I went to my office, but my mind was still on the Asus bug hunt. That evening I got a notification on my mobile that there was an update for the Termux app. And suddenly my Bug Hunter senses tingled, and I thought, “Why don’t you run a sublister against asus.com on the mobile?” I randomly selected one of Asus’ sub-domains, specifically  http://stw.asu...
Read more

Vine User’s Private information disclosure

Image
Hello  readers, This is  Prial Islam  a security researcher from Bangladesh . This is a old finding of mine adding into my blog . Today I will write about a Critical   IDOR vulnerability that will lead to  Information Disclosure   what allowed me to get any Vine user’s sensitive information including   Ip address/phone no/email  . I reported this bug to Twitter Security team in their  Bug Bounty Program in Hackerone  and they Rewarded me with a amount of  7560$ for  this report  . $$$$ + Blog post permission 😾 😇 Vine has issued a statement regarding this vulnerability on their  Vine blog Post here  and also Hackerone mentioned this vulnerability in hackerone  Zerodaily Newslatter  . Vulnerable Endpoint  :- https://vine.co/api/users/profiles/<User Id> When I was testing vine domains for something interesting . I noticed the Endpoint what response wa...
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_...
Read more