Bug Chaining worth $500! 🤑

Hellow bug hunters! I’m back again with another writeup. Mostly I don’t show off my bounties🤑 . But this writeup is not for bounty purpose. I’ll tell you what mistakes I have done and which you shouldn’t repeat for the same bug like I did. I’ll also share with you some tips and obviously bug chaining. So, without any delay let’s start roller coaster ride. 😉

I was hunting on responsible program. That program has very less features. I mean there was no signup or login functionality or similar input field where I can test bugs. There are only few web pages like you can download that company’s software and read manual, privacy policy, etc. Now what?

I fired up Burpsuite (Burpi ❤) and spider the whole website. Then suddenly I see that there are no more security headers. Specially XSS protection header. As you know about target there is no functionality to test input validation. There was language/email parameter (e.g. target.com/?lang=en&email=x). I know what you are thinking right now. And I tried simple XSS payload and it worked!! Woohoo… 😍

Great? Haha no. Self XSS was out of scope

I started bug chaining. I did HTML Injection. I typed simple HTML code (e.g.<h1>HelloWorldHTMLInjectionHere</h1>) and its executed. What else we can do? Another bug chain is Open redirection via HTML Injection. Yes, you read it right. Payload will look like below:

<script>document.location.href=”https://example.com”</script>

It will redirect to the example.com. I quickly made poc and write a good report and send it to their security mail. After couple of days I got mail that I am eligible for bounty. And I got 500$. That’s it guys. Keep hunting, Keep Sharing.

Mistakes I had done while testing. There were more than 6 domains which are related to target company. And same bug was there. But I reported only one main domain’s bug and they fixed remaining domains which were also affected to the same bug.

Lesson: If you find a bug check same parameters on in-scope domains.

Bhaari nuksan ho gaya hamara!

Tip: If Self XSS is out of scope then you can try HTML Injection, Open Redirection, CSRF, Self XSS to Stored XSS.

Instagram: th3.d1p4k

Twitter: Dipak Panchal

Bug hunter | CCSE