Today’s post will be relatively short, heading out to a goodbye happy hour with some friends. Yay for moving across the country! Also, I’ve spend a good amount of my free time working through the reading list and getting a handle on web application testing frameworks.
I was able to spend a bit of time playing/trying to break Google’s Gruyere sandbox [site]. The tutorial starts off by spinning up a new instance (and getting a unique id) and testing out the standard functionality (creating a user, publishing posts) before trying to break things.
The first sequence of challenges is around Cross-Site Scripting or XSS. As I understand it, an XSS bug allows a user to embed executable code within a webpage that a user may trust (e.g. google.com). So for example, you could create a link that a user clicks and a script runs that can collect information for the attacker, identify information of interest on other tabs, and generally wreak havoc. The first challenge I attempted was trying to get code to run based in a URL.
Next I tried uploading an html file that would reveal a users cookie information and was able to do that as well!
Thinking ahead..
There seem to be a lot of different ways of injecting malicious code into the Gruyere application. Will continue to try different forms and see what other bugs can be uncovered.
Also, I think I could build a python script to automate XSS URL string testing across numerous subdomains and add to my bug bounty toolkit (although I’m sure something exists). Definitely something that could be useful down the road. Additionally, having some basic html payloads might be helpful as well.
That’s all for today. Please leave feedback/comments/suggestions if you like what I’m doing.
