Series of Web Exploits: From Discovery to Disclosure — XSS fun
My Thoughts
The thrill of discovering vulnerabilities and responsibly disclosing them can be quite rewarding and also vice-versa. Recently, I stumbled upon a series of intriguing endpoints. After further exploration, the endpoint used for this attack appeared to have potential security vulnerabilities. This journey took me through a process of examination, exploitation, and ultimately responsible disclosure. In this blog post, I’ll walk you through how I found and exploited these vulnerabilities and the steps I took to ensure a safer online environment.
Discovery
It all began with the seemingly innocuous URLs that hinted at a web call. Curiosity got the better of me, and I decided to investigate further. The URLs were structured as follows:
- `http://{redacted}.net/cpanelwebcall/<img src=x onerror=”prompt(‘open bug bounty’)”>aaaaaaaaaaaa`
- `https://{redacted}.army/cpanelwebcall/<img src=x onerror=”prompt(‘open bug bounty’)”>aaaaaaaaaaaa`
At first glance, these URLs appeared to be pointing towards some kind of resource, potentially tied to statistics or web calls. The fact that there was an “onerror” attribute raised red flags, suggesting a possible vulnerability related to cross-site scripting (XSS).
Exploration and Exploitation
To validate my suspicion, I crafted a simple payload and inserted it into the URLs:
<img src=x onerror=”prompt(‘open bug bounty’)”>
# This payload is a classic example of an XSS attack. If the web page doesn’t sanitize the input properly, it could execute arbitrary code and trigger the JavaScript “prompt” function, resulting in a pop-up alert.As I accessed these URLs with the payload, a prompt box indeed appeared, confirming that an XSS vulnerability was present. This vulnerability could potentially allow an attacker to execute malicious scripts in the context of a user’s browser.
Responsible Disclosure
With a confirmed vulnerability in hand, the responsible course of action was to report my findings to the affected parties. Responsible disclosure involves sharing the discovered vulnerabilities with the appropriate individuals or organizations before making them public. This gives them a chance to fix the issues and protect their users.
I proceeded to contact the relevant parties, providing them with a detailed description of the vulnerabilities along with steps to reproduce them. I emphasized the importance of addressing the issues promptly to ensure the security of their systems and users.
Final walk
The journey from discovering potential vulnerabilities to responsibly disclosing them is a crucial aspect of the cybersecurity landscape. In this case, a series of URLs that seemed innocuous at first turned out to have security implications. By investigating and responsibly disclosing the vulnerabilities, I contributed to making the online environment safer for everyone.
If you’re interested in exploring the world of cybersecurity, remember that responsible disclosure is key. As we uncover vulnerabilities, we play a pivotal role in strengthening the digital ecosystem.
Disclaimer: This blog post is meant for educational and informational purposes only. The URLs (now redacted as we are in talks) and payloads mentioned in this post were used for research purposes in a controlled environment with proper authorization. Unauthorized exploitation of vulnerabilities is illegal and unethical. Always follow ethical guidelines and laws when exploring security vulnerabilities.
Pending: After some time I will remove the redacted placeholder. I am just waiting to see how things turn out as this bug will affect others, not just the companies not taking action. After all, I am here to help not destroy. Even if at times companies need to be ‘outed’. Without good intentions, you are no different from any other bad person.
Stay Safe! Stay Aware!
By the way, if you are struggling to change
<script>alert(document.domain)</script> to reflect “Open Bug Bounty”, it can be because
<script>alert("Open Bug Bounty")</script>
<script>alert('Open Bug Bounty')</script>are victims of not too shabby security. As a workaround, I just do the following:
<script>alert(/Open Bug Bounty/)</script>This then provides an alternative in situations where you are unable to use single or double quotation marks.
Happy hunting defenders of the web!
Some people have been struggling to find their first bug so I thought I would show this video. It is a real example as often enough we all struggle. Hopefully, these small steps help someone find their bug. Stay positive and do not let them break your spirit. There are several ways to hack.