Simple Logical Bug Turned into a Bounty

Simple Logical Bug Turned into a Bounty

Behind the Scene: XSS

Ananya Chatterjee's photo
Ananya Chatterjee
·

3 min read

Show some  ❤️  by starring this Article!

Hey Hackers , I hope you all are doing great in your life and if not, then you are at the right place to at least remove the queries of XSS from your life. This is my 8th Valid Bug on Intigriti. I was rewarded 150,00 EUR by Sqills.

WhatsApp Image 2021-07-01 at 10.20.32 AM.jpeg This article is going to make you somewhere close to perfection (as we all know nobody is perfect :P). So, without wasting any time let’s take a dive into this. Screenshot 2021-07-01 183545.png

What is XSS ( cross site scripting )

XSS is a Client Side Code Injection attack. With that I mean, by embedding malicious code in a genuine web page, the attacker hopes to execute harmful scripts on the victim’s web browser. I found this image to be helpful to understand the concept clearly. Have a look and try to understand what is actually happening?

1_8dvbPD0U6hORe_aWvTuFuQ.png

XSS is a very interesting and dynamic bug class for a number of reasons.

  • The severity can range anywhere from informative to critical, depending on the application and context
  • It can result in remote command execution in some contexts
  • Due to the dynamic nature of the bug class, it’s difficult to prevent against from a development standpoint
  • More complex XSS vulnerabilities will be mostly missed by automated tooling

Still having Doubt?? Let's Connect virtually on Whatsapp & Instagram

Gaining an XSS on a vulnerable application may give an attacker the ability to:

  • Steal session tokens, giving them full control of the user’s session
  • Bypass Same Origin Policy (SOP), allowing them to perform sensitive actions as if they were logged the victim user
  • Exfiltrate information that is viewable by the victim user, for example

    The Vulnerability

    I can't share any details on the vulnerability, though I' don't have permission. But here is the example :
    The backend code might look something like this:
<html>
<head><title>MyApp</title></head>
<body>

<?php
$name = $_GET['name'];
if (strpos($name, 'script') !== false) {
    http_response_code(403);
    die('Forbidden');
}
?>

Welcome to MyApp, <?php echo $_GET['name']; ?>

</body>
</html>

Now, if we try to inject , it won’t work:

Screenshot 2021-07-01 200748.png

XSS-IMAGE-6.png

In this case, we’ve used a handy little feature called HTML Event Attributes. They allow you to specify JavaScript to execute when a specific event occurs. In this case, we have attempted to load an image with the src attribute set to “x”. Of course, there is no image hosted at “x”, so an error occurs. When an error occurs, the onerror Event attribute is fired, which we set to be alert(1). A good list of event attributes can be found here: https://www.w3schools.com/tags/ref_eventattributes.asp

ALERT IS BLOCKED

Another common blacklisted word is “alert”, which can be bypassed easily by using prompt(1), console.log(1), or literally anything else.

Strings are blocked

Sometimes you will run into situations where you can not form a string, maybe because quotes are blocked, or some other reason. In this case, String.fromCharCode can be really handy. It takes ASCII codes, and then turns them into a string, for example this payload:

Screenshot 2021-07-01 201823.png Will create an alert box with the characters corresponding to 88, 83 and 83. Which just happens to be XSS:

XSS-IMAGE-7.png If you enjoyed this story, please click the 👏 button and share to help others find it! Feel free to leave a comment below. Thankyou Hashnode

hackingBugs and ErrorsHashnodeDevelopercoding