A $75 Base64 encoded parameter.

Navneet
Navneet
May 19, 2019 · 2 min read

This article is about a parameter which was taking the values not as simple text or HTML code but as encoded base64 string/text. The article below tells what was the bug and how it was submitted ?


It was a first/index page of a Subdomain of a public program ,which was a login page. I was uninterested to look for anything and about to close the page but somehow unintentionally entered the admin/admin in the login page and an error comes up above the login form which says wrong credentials, but the thing that catch my eye was the parameter that comes up at the address bar “errLogin” and the value of the parameter was not simple/plain text.

The link was like

https://www.SomeWebsite.com/? errLogin=[Some_base64_encoded_String]

So, I thought let’s try to enter plain text into parameter , as I entered plain text, some gibberish text gets reflected above the login form where error message was shown.

Now, I thought it can be a XSS bug but the payload was again reflected as gibberish text. Then somehow it came to my mind to decode it as base64.So, I copied the encoded text and try to decode it using some base64decoder website and it shows simple html code like this

<b>Error:</b>Wrong credentials

Now , I wrote simple html code and encoded into base64 then enter it as a value of that parameter and yay! it’s reflected at above the login page where the error message was shown.

I thought this is now can be reflected XSS but I was not able to pop-up the alert box because of filter website have.I tried a lot of payloads but unable to pop up the alert box .


I don’t want to submit the report without showing any effect. So, I submitted with this below PoC as HTML injection

<a href=’https://www.google.com’ > Register! </a>

the whole link looks like

https://www.SomeWebsite.com/?errLogin=[base64_encoded_injected_HTML]

Submitted Impact:

When user visit above link , and click on the register , he/she will be visited to Google.

Point to note:

If some gibberish text reflects as a result of input in some parameter try to encode it into base64 and try ,may be it works.

Bounty:

This was accepted as valid bug and $75 was rewarded in return and also they said if you are able to submit this as XSS then we can pay you more.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store