Cross-site scripting: The power of the hidden parameters.
Hey everyone! This is another XSS writeup that you can learn from, a strange one in fact.
It’s my first writeup so be kind to me. I am just trying to share my findings.
Like any other bug hunter, one day I had the urge to look for a bug, so while browsing HackerOne programs, my eyes caught Sony’s program.
Let’s test sony I said.
I started my recon by opening google and playing with some dorks such as site:*.sony.*
After a while, I found the domain “sony.jp”. I checked it and it seemed like a good start.
As a start, I used amass like below to gather some subdomains.
amass enum -passive -d sony.jp -o sony.txt
After getting a list of subdomains, I passed them to httprobe to only keep the alive ones.
However, if you want to get only working subdomains, you can use amass, httprob like this:
amass enum -passive -d sony.jp -o sony.jp ; cat sony.jp | httprobe | tee sony.txt ; rm sony.jp
I started enumerating the list of subdomains for a while and then I noticed one with a lot of functions.
What I mean by “a lot of functions” is it has many user interactions.
I tried to fetch for bugs like csrf , IDOR , sql , and even rce, but I couldn’t find anything of interest.
What about XSS?!
I started searching for parameters and I got a lot of ones but sadly no xss. :’(
I checked the source code in the browser. I started looking for hidden parameters, then I found a parameter named “cs”.
Tip: Never forget to look for hidden parameters in the source code. click view source code and search for “hidden”, “input”, or “var” parameters.
I tried injecting a bunch of XSS payloads in it but nothing worked out. :(
While I was about to give up and look for another subdomain, I hyped myself a little and tried the parameter “Couponcode”
Because there was an option to add a coupon code on the page.
redacted.sony.jp/?Couponcode=hunter”><svg/onload=confirm(document.cookie)>
Unfortunately, no XSS.
But when I added the “cs” parameter, the XSS popped up.
So the final url is :
redacted.sony.jp/?Couponcode=hunter”><svg/onload=confirm(document.cookie)>&cs=
So here’s how it works.
When I put the payload in the “couponcode” parameter the XSS didn’t work out because the payload was filtered, but when I added the cs parameter, a new “<link>” tag was generated in the source code, which had no filter.
<link href=”https://redacted.sony.jp/?Couponcode=hunter"><svg/onload=confirm(document.cookie)>&cs=">
That’s it.
See you in the next writeup.
twitter: https://twitter.com/kassihmouhssine
