Weaponizing XSS Attacking Internal System
Few week ago I was talking to a friend of mine when he gave me a subdomain that had an admin panel and asked me weather I could find a way to get inside, Why not give it a try.
So I stared my recon by doing Directory Scanning , Checking SQL injections , Checking if there is some vulnerable libraries and finally
Shit but I was curious to know more about it and I went to GOOGLE and searched for the company and gathered more info about the company even gave a connection request to the CTO via LinkedIn (we will get to the CTO in a minute)
While looking at the company website I saw a support panel where I can submit tickets somewhere in my head I was having a voice saying its vulnerable and I should test it.
Hmm May be a Blind XSS so i went to my XSSHunter account and copied the payload and submitted the request I never had any hope of having a successful execution but the next day I logged in to my account to check if it was executed and BOOM .
I was able to grab the cookie of the user which I was able to impersonate and gain a valid session Boom inside Internal System.
I registered an new account and submitted a Responsible Disclosure
After a Day I was greeted with one of the best messages that Ive ever got
This mail was actually by the CTO of the company a really cool guy who rewarded me for my finding,