2 Dom Based XSS in ucweb.com
I am Sudhanshu Rajbhar, today I am going to share the story of my two dom based xss which I found in Alibaba’s Bug Bounty Programme.
I just came to know about Alibaba’s Bug Bounty Programme and also that they have a large scope.So I decided that I will take a look at it.It was the first week of August.After two days my maths exam was there but I was busy with this.
After reading their policy and checking scope.I went on youtube and was searching for the bugs which were already found in Alibaba websites to get an idea about my target, most of the pocs were about xss.After watching the pocs I picked out some domains randomly that included alipay.com,ucweb.com and some more.
Here we go..
I started my recon by first checking the available subdomains for that purpose I went to https://virustotal.com and started going through them one by one. Didn’t get any interesting subdomains at first so I started looking for ucweb.com subdomains here and found this subdomain samsung.ucweb.com, samsung ahh let’s see what’s there.I opened that subdomain and got this
What most people will do here? they will just ignore it.I was also going to do the same thing at that time then I remember about an article which I read that if you encounter any page like this google the site you may find a endpoint which is accessible.
So that’s what I did I used this simple dork site:samsung.ucweb.com and the results really suprised me
I opened this url http://samsung.ucweb.com/webstore/classify.html?dataKey=LifeStyle&title=LifeStyle and started testing the parameters , the title parameter was reflecting the input so for checking if there is any filter or something I used <b></b> and found out that there was no filter.
I used the payload <script>alert(1)</script> but it didn’t work then I tried <img src=x onerror=alert(‘XSS’)> and boooom yeah the I got the xss popup.
This was my first bug in a bounty programme , so I was really excited and I was even screaming at that time.
I submitted this on https://security.alibaba.com and their response was really fast, I opened the report and saw that I was rewarded with $50.
This time I was screaming a little bit louder than before.So here’s the end of the story of my first bugbounty.Soon after that I was rewarded with $100 on hackerone on vhx.
Now it’s time for the second xss
The 2nd xss I found this month only, in the same domain.For fixing the previous xss they removed that endpoint and if I try to open that endpoint now I will get a 404 error not found.
I just thought of using a tool like dirbuster or gobuster on this subdomain so that I can find a new endpoint.I tried dirbuster and gobuster but both of them were not working here they were giving some errors on this subdomain.So I moved on.
After some days I got to know about dirsearch,so I thought of giving it a try and it was working perfectly , from the result I got one more endpoint /test/
I opened http://samsung.ucweb.com/test/ and from here I found this http://samsung.ucweb.com/test/classify.html?dataKey=New&title= same url just like before, I used the payload and yeah you guess it right the xss popup was there.
Again this time also $50 bounty from Alibaba.It was really simple.
So guys don’t forget to use directory bruteforce tools on the subdomains of your target you might get lucky just like me.
Thanks a lot for reading it till the end. I hope you will find this article interesting. Sya