Story of the best vulnerability I’ve found so far…
Hello all the amazing hackers and cyber security enthusiasts. My name is Vedant and I’m an aspiring bug bounty hunter and a cyber security enthusiast. Today I want to share with you a story about the best bug I’ve found so far. So for about 3 months I was fully concentrated only on one program which was a private program and it was a very nice experience for me as I learned a lot about their infrastructure. Sticking to only one program is really a good practice and it can fetch you a lot of bounties. So now let’s understand the bug,
Introduction about the target:-
So the web app was like a customer portal where one can create an account, search for different products and also can request for the products. There was no way one normal user can see other users profile. And there was nothing else apart from these features.
Initial finding:-
portal.target.com was the target. So as always I started with some recon about the target. I gathered some info about the technology stack used, then I tried directory brute force on that subdomain to find some interesting directories but no luck, there was nothing interesting found:(
So after trying all that I decided to create an account on the web app. and while creating an account I used simple HTML payload like <h1>tester</h1> in both first name and last name field and created the account. After creating the account and confirming the email I logged in to the account dashboard and immediately saw that my HTML payload executed in both the parameters and I was super excited :)
I quickly got to the edit profile section and in first name field I replaced the HTML payload with a simple XSS payload like <img src=x onerror=alert(1)> and clicked on save changes and then I got back to the dashboard page and the stored XSS triggered successfully and now I was super super super excited and immediately without thinking about anything I started to write the report and while writing the impact in my report I was totally blank. I was like ‘Wtf is the impact here?’ as there was no way one normal user can see other users profile and hence cookie stealing and account takeover of other users was out of the question :( after realizing all this I was very very sad :(😔
The idea:-
After that I took a break and got out for a walk. After some time I got an idea. I thought if other normal users can’t see my profile there is still one person who can see any normal users account and that person is.. yes you guessed it right, the admin. So now the challenge was how can I get the admin to see my profile and how can I know that my payload executed. After thinking for sometime I remembered the request content feature. Then I thought if I type anything in that request content feature and repeat that request 20–30 times the admin or someone on the other end will surely notice it.
So getting the admin’s attention was done now how can I know my payload actually triggered in backend. Then I thought why not enter the blind XSS payload in my profile as a first name and then request for the content so I quickly got to xsshunter.com got the simple payload and changed my first name to the BXSS payload and got to the dashboard just to see if it was working or not, and it was working as I got the mail from xsshunter saying my payload triggered.
Now as planned I typed random characters in that request content feature and and repeated that request 20–30 times and now it was time to wait for the admin to notice me. Then I got out with my friends for 2–3 hours and after I came back home I got a mail from xsshunter saying my payload triggered and I was very excited. I opened the mail and I saw the BXSS triggered in the admin panel and I got the cookies of admin 😁. In the screenshot I saw that the admin was trying to ban my account and the blind XSS payload triggered there. I was like,
So I got from self stored XSS to admin account takeover just by not giving up and some planning 😎. Then I reported the issue and after 3–4 weeks I was awarded with a very nice bounty!
I hope you liked reading this blog. If you have any doubt regarding this you can contact me here Thank you so much for reading and happy hacking :)
