Story of parameter specific XSS

noob.ninja · devanshbatham/Awesome-Bugbounty-Writeups · 6 hours ago · vulnerability
0 net
Tags
bug-bounty facebook reverse-engineering xss xxe
Story of a Parameter Specific XSS! Skip to main content Share Get link Facebook X Pinterest Email Other Apps September 19, 2017 Story of a Parameter Specific XSS! REDIRECTING TO THE NEW BLOG ... Hello Infosec folks! So I am going to start writing posts related to my bug hunting findings and share it with the community starting with this post. So, this post is about a Reflected XSS I found in a Private Program which has been previously tested many times.This XSS was present on nearly every page of the domain (let's call this private-bounty.com) but wasn't found by anyone before. When I was going through the Application, I found an endpoint which had following in URL: https://www.private-bounty.com/Deactivate?view= aaa &utm_content= foo &utm_medium= bar &utm_source= baz I checked the source code to see if the parameter "view" was reflected somewhere in the page and it was found that the whole URL was reflected in Javascript context(inside Script tags) but except for the parameter "view" and its value. It got reflected as - https://www.private-bounty.com/Deactivate?utm_content= foo &utm_medium= bar &utm_source= baz Then I tried to break out since foo, bar and baz values were also reflected in the page that but unfortunately, everything was properly encoded, https://www.private-bounty.com/Deactivate?utm_content= foo '"><>\ &utm_medium= bar '"><>\ &utm_source= baz '"><>\ Then I tried to add quotes in the path itself but it was also encoded well, so I moved ahead to find something else after not being able to XSS this due to the proper encoding of user input. https://www.private-bounty.com/Deactivate/ '" ?utm_content=foo'"><>\&utm_medium=bar'"><>\&utm_source=baz'"><>\ I found this pattern of "utm_content= foo &utm_medium= bar &utm_source= baz " on every endpoint getting reflected and no other parameter will be reflected. I tried to append a custom parameter myself to see if it gets reflected, but it didn't work https://www.private-bounty.com/Deactivate?view= aaa &utm_content= foo &utm_medium= bar &utm_source= baz &test=xxxxx After that, I tried to append a parameter named utm_foobarbaz=xxxxx https://www.private-bounty.com/Deactivate?utm_content= foo &utm_medium= bar &utm_source= baz & utm_foobarbaz=xxxxx and it was reflected! into the page, so the application only reflected the parameters beginning with "utm" so I tried again to break the context to achieve XSS using this parameter's value but it was also encoded well :( Then the last try I did was to break the context by putting the payload in the parameter name itself https://www.private-bounty.com/Deactivate?utm_content= foo &utm_medium= bar &utm_source= baz&utm_foobarbaz'"=xxxxx and boom! it worked :D, the parameter names beginning with "utm" were not being encoded when reflected in the page. and That's how we alert :p , https://www.private-bounty.com/Deactivate?utm_content=foo&utm_medium=bar&utm_source=baz& utm_foobarbaz');alert(1)// The lesson is that we should also always try to inject/fuzz the parameter names themselves and this was just a special case of such an XSS in parameter name beginning with a specific keyword "utm". - Rahul Maini Share Get link Facebook X Pinterest Email Other Apps Comments a 19 September 2017 at 07:37 Awesome :) Reply Delete Replies Reply jack sparrow 19 September 2017 at 08:40 :O awesone :) Reply Delete Replies Reply Mahender Singh 19 September 2017 at 11:52 Good Reply Delete Replies Reply aaaaaaaaaaaaaaaaaa 20 September 2017 at 08:15 awesome work! :P Reply Delete Replies Reply Unknown 21 September 2017 at 07:57 Good one mate (y) Reply Delete Replies Reply Unknown 22 September 2017 at 11:40 Gazzab Reply Delete Replies Reply Unknown 26 September 2017 at 02:02 keep it up !!! Reply Delete Replies Reply Unknown 8 November 2017 at 20:18 gazzab kiye ho maini saaab Reply Delete Replies Reply Add comment Load more... Post a Comment Popular Posts November 08, 2017 Local File Read via XSS in Dynamically Generated PDF Share Get link Facebook X Pinterest Email Other Apps 23 comments December 07, 2019 Spilling Local Files via XXE When HTTP OOB Fails Share Get link Facebook X Pinterest Email Other Apps 3 comments Rahul Maini Application Security Engineer and a Bug Bounty Hunter currently active on Bugcrowd. Interested in learning Binary Exploitation and Reverse Engineering! Follow me @iamnoooob Visit profile Archive December 2019 1 July 2019 1 July 2018 1 November 2017 1 September 2017 1 Report Abuse
← Back to stories