Reflected XSS - Nearly missed it in the most obvious parameter!!

Updated: Apr 22



If you are manually testing XSS in a very busy program, and there's a common parameter "q=" and that too in one of the TLDs, Will you be giving your time to test that parameter or you'll try to find some unique parameters by enumerating js and give your time to those parameters instead? In today's blog, I'll write about how I nearly missed a "NO FANCY PAYLOAD" XSS in the most common and protected parameter in today's time.

gif

I picked a target and started subdomain discovery, while I was gathering the subdomains, I used a few dorks and I found few directory listings in few subdomains. The dork was


site:*.redacted.com intitle:index.of











After my subdomain enumeration was complete, I Picked up a random subdomain created an account there, and was intercepted the whole time, Saw the website was continuously fetching user data from another subdomain of the same target.

I changed the Origin: header to my website and saw that the server was accepting any arbitrary domain in the Origin: header.

To double confirm the vulnerability I tried to exploit it and it was exploitable too.

Again while my testing, I use vulnerability scanners parallelly for some surprises, It's not every time you get a bug in scanners but we should always try it, I got an XMLRPC enabled file URL which is out of scope in most of the programs, but at least it gave me something


gif

Now for the vulnerability of the hour, let's talk about XSS. Nowadays it's not that easy to get an XSS and that too in a parameter which is most obvious for example utm_medium, utm_source, utm_campaign, q, s, etc. I always look out and try to test the parameters which I find by enumerating JavaScript files, I was looking for unique parameters where I can test XSS.

I completed enumerating javascript files for hidden paths, URLs & parameters. Got many parameters started testing them one by one, I was trying escaped payloads, encoded payloads. You can find them in the link below


https://github.com/payloadbox/xss-payload-list

No payload gave me a popup hit, then tried few more payloads and still didn't get any success till now.

It was then time when I told myself that I am not going to get XSS in this target, Then saw a few parameters where I didn't even test any single payload they were


1) q=
2) utm_source=
3) utm_medium=
4) campaign=

picked the first parameter and found myself too lazy to pick up the list of payloads again and test them one by one, So I decided to give only one try and tried an escaped payload


https://redacted.com/?q=hi'>"<svg/onload=confirm(testing-xss)>"

So lucky I could get,



gif

One thing that I learned was Never Miss any parameter just because others are protected so that one would also be.

Thank you guys for your time, I hope you find this informative.

I'll soon post a write-up on my Bounty Report!

Stay Tuned and Peace!





468 views0 comments

Recent Posts

See All