Hellow bug hunters! Iām back again with another writeup. Mostly I donāt show off my bountiesš¤ . But this writeup is not for bounty purpose. Iāll tell you what mistakes I have done and which you shouldnāt repeat for the same bug like I did. Iāll also share with you some tips and obviously bug chaining. So, without any delay letās start roller coaster ride. š
I was hunting on responsible program. That program has very less features. I mean there was no signup or login functionality or similar input field where I can test bugs. There are only few web pages like you can download that companyās software and read manual, privacy policy, etc. Now what?
I fired up Burpsuite (Burpi ā¤) and spider the whole website. Then suddenly I see that there are no more security headers. Specially XSS protection header. As you know about target there is no functionality to test input validation. There was language/email parameter (e.g. target.com/?lang=en&email=x). I know what you are thinking right now. And I tried simple XSS payload and it worked!! Woohooā¦ š
I started bug chaining. I did HTML Injection. I typed simple HTML code (e.g.<h1>HelloWorldHTMLInjectionHere</h1>) and its executed. What else we can do? Another bug chain is Open redirection via HTML Injection. Yes, you read it right. Payload will look like below:
<script>document.location.href=āhttps://example.comā</script>It will redirect to the example.com. I quickly made poc and write a good report and send it to their security mail. After couple of days I got mail that I am eligible for bounty. And I got 500$. Thatās it guys. Keep hunting, Keep Sharing.
Mistakes I had done while testing. There were more than 6 domains which are related to target company. And same bug was there. But I reported only one main domainās bug and they fixed remaining domains which were also affected to the same bug.
Lesson: If you find a bug check same parameters on in-scope domains.
Tip: If Self XSS is out of scope then you can try HTML Injection, Open Redirection, CSRF, Self XSS to Stored XSS.
Instagram: th3.d1p4k
Twitter: Dipak Panchal
