[Bug Bounty Writeups] Exploiting Cross Site Scripting XSS
My youtube Channel: https://www.youtube.com/watch?v=IPmpQa1iUEA
Please subscribe and support me :)
This Writeup shows how important it is to test every single input field on any Website even if it is just a form. So let us start :)
While hunting on a Website (Vulnerability not fixed yet) lets say vulnerable.com i searched for input places. The Website is designed for booking hotels, rooms etc. So i started searching for a wonderful expensive hotel to book ;)
I selected the date and all the other fields where i did not have any possibility to write or edit anything it was well configured. Lets go to the next step. I have to put further uninteresting Informations like amount of beds etc.
Shortly after i got a lot of input fields where i can fill in my personal data like name, birthday, address and so on. At this moment i thought about one thing
XSS — CROSS SITE SCRIPTING
First of all there is always a rule you have to follow in both writing code and testing Web Applications for Vulnerabilities like XSS. “Never ever trust user input” and thats exactly and what the Programmer did here. He trusts anything given from the User. So the User can write malicious Javascript Code and send the Link to another User to steal his cookies and redirect him to another malicious Website. If its stored XSS then its stored in the Webserver and thats very dangerous.
The impact of a XSS Vulnerability is various. For example we can start a listener and wait until the Admin or any other authenticated User is logged in to catch his Cookies and log in with it if HTTPONLY is not activated. There are also other methods like redirecting to malicious websites and so on.
Before you test any javascript Code you can genereally test it with h1 to see if it works as a header but it is not necessary.
The Admin does not filter any input from the User in ALL possible input fields and through this i got 9 XSS Alerts from every input field except the Email input field. The payload was very simple and even not encoded ->
<script>alert(‘Reflected XSS never tust User Input ever’)</script>
That means the Admin is not filtering the Input from any User even not in a simple way like blacklisting some special characters for example <, >, / etc. Now we can contact the Company and report 9 XSS Alerts found on their Web Application. :) Thank you for you time reading my writeup and i will publish the next Vulnerability soon :) and hope from you to share, like and support my Writeups :) stay safe
