A couple of weeks ago one morning began not as usual.
Message: — “Is it your article?(article about one hacking story) Do you want to check our service?”
As a result, after several messages in the telegram, I was on a way to start Recon, to check new service. The service name was paykassa.pro.
It's payment provider service almost for cryptocurrencies. And yes, it was official request without bug-bounty routine, long time for fixing, claiming about reward amount and so on.
Testing session was interesting. And i am here to share with you my findings.
- Blind XSS in support chat (fixed)
First of all i checked case with support chats. It was two support areas. One with widget and second with official request from profile menu. Second rout was successed. I found how to use XSS with attached file from filename and from title.
Also it was the biggest impact here because guys from support send to me this smile ;) and it was good to me. Because i caught his cookies → url to admin menu → at the end I can control service from admin tool with this caught cookies.
For XSS I used this vector ( always collect my logs with xsshunter.com )
And the result was — Powerful Admin Menu
2. XSS attack from interesting directory (fixed)
Under the Recon process i found interesting directory https://paykassa.pro/info.php
This page has one form which provide to sent POST request to the main service. Service returned to use time to time some data
- first of all it's unrestricted access to the service data
- second- it's place where some data was reflected on the page
Attacker can craft malicious page with XSS+CSRF vector to steal victim cookies on this page from reflected parameter.
3. CSRF attack on user settings (fixed)
On the personal page of my test user i found that there is no CSRF tokens which provide for me unique request for saving private data. I checked it with two different users. And my theory was right. First user with using malicious crafted page can modify data for second user.
Timeline for fixing was around 1–2 hours every time. That was great!
Reward amount was around 300$. For me, money does not play an important role. That's why project didn't scare me.
PS: You can contact with me if you have interesting project for testing.
Click "Clap" icon if you like this article ;)