STORED XSS

Hello Everyone,

My name is pulla karthik Srivastav (security researcher) from Telangana. I am so excited as this is my second write up on vulnerability assessment of web apps. I was searching for a vulnerability disclosure program using the bug bounty dork:

inurl:security “reward” site:ai

paste the google dork in search bar of google from that I have selected a vulnerability disclosure program.

Lets start,

Bug type: STORED XSS

Initially, let us assume the target domain as target.ai and the scope of Vulnerability disclosure program is *.target.ai. I have started the subdomain enumeration of the target using mentioned tools

Tools for subdomain enumeration:

→Sublist3r tool command in kali Linux:

sublist3r -d target.ai -v -b > sub.txt

→amass tool command in kali Linux:

amass enum -d target.ai | httprobe> sub1.txt

→assetfinder tool command in kali Linux:

./assetfinder target.ai| httprobe > sub2.txt

→Findomain tool command in kali Linux:

./findomain-linux -t target.ai| httprobe > sub3.txt

→subbrute tool command in kali Linux:

./subbrute.py target.ai| httprobe > sub4.txt

After collecting all the subdomains lets sort the unique ones and store them in one file with the below command:

cat sub.txt sub1.txt sub2.txt sub3.txt sub4.txt | sort -u

By using this command, we can filter the duplicates subdomains. Now I have copied all the subdomains and pasted in the bulk URL opener extension. This extension helps us to open the bulk urls at a time in a browser.

I was visiting each and every subdomain(Alternative you can use Eyewitness tool which visits each and every page and takes a screenshot as output).Surprisingly, I found a unique subdomain i.e., a development page of admin.

Vulnerable url looks like: app-main.v2 **** .ai

This vulnerable URL has 2 issues:
1) Security misconfiguration( Available Sign up option of admin page)

Impact: Any user can create an account and access the admin page

2) Stored XSS

Lets start hunting for XSS

steps:

1)Initially created an account and logged in with the user credentials

2) Go to account/profile page ,I was searching for some input fields.

3) I found an option called “ Add member “ . I saw some input fields with first name and last name. Immediately, I have inserted my basic XSS payloads in first name and last name and gave some random email and clicked on invite.

PAYLODS:
“><script>alert(document.cookie)</script>

4) Reloaded the page BOOM XSS has been fired with cookies (http response header doesn’t have httponly and secure flag as well)

5) I have cleared the cookies in my browser and logged in to the account soon after logging it resulted me with XSS again → STORED XSS

IMPACT:

In general, stored XSS occurs when an attacker injects malicious content as user input and it is stored on the target server such as first name and last name. Attacker crafts a phishing link with it and sends to victim when the victim opens the web page in a browser. The malicious data is served to the victim’s browser like any other legitimate data and the victim ends up executing the malicious script once it is viewed in their browser and leads to stealing of cookies (Account take over).

Solution:

→ User input validation

→ Use content security policy ( CSP )

→Add XSS protection header: X-XSS-Protection: 1; mode=block

→ Use httponly and secure flags in HTTP response header

Ethically hacked and Reported

Thanks for Reading.

Happy Hacking!!