XSS on sony Subdomain

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 10 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

First-time bug bounty hunter discovered XSS vulnerability on a Sony sandbox subdomain (authtry.dev2.sandbox.dev.ppf.sony.net) through subdomain enumeration using crt.sh, assetfinder, and httprobe, then exploited parameter injection on the target's index.php with a classic XSS payload.

Tags
xss cross-site-scripting subdomain-enumeration bug-bounty sony information-disclosure sandbox-bypass parameter-injection
Entities
Sony ppf.sony.net authtry.dev2.sandbox.dev.ppf.sony.net crt.sh assetfinder httprobe dirsearch Gökhan Güzelkokar
XSS on Sony subdomain | by Gökhan Güzelkokar - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original XSS on Sony subdomain Hi guys. This is my first bug bounty writeup. I started to bug bounty on july 22, 2019. I want to share with community all the… Gökhan Güzelkokar Follow ~2 min read · January 6, 2020 (Updated: December 13, 2021) · Free: Yes Hi guys. This is my first bug bounty writeup. I started to bug bounty on july 22, 2019. I want to share with community all the vulnerabilities I have found. I choose for large scope programs when looking for bug bounty programs and for improve myself I don't care about bounty now. So I chose SONY. I started with subdomain enumaration. Firstly, I used crt.sh and I use the following to find potential sub-domains. ##N ow does not support :( %my%.sony.net %jira%.sony.net %jenkins%.sony.net %test%.sony.net %staging%.sony.net %corp%.sony.net %api%.sony.net %ws%.sony.net %.%.%.sony.net Sometimes just random letters.. %p%.sony.net %i%.sony.net %ff%.sony.net %co%.sony.net crt.sh I found this one ( ppf.sony.net ). Then, I used assetfinder and httprobe by tomnomnom for subdomain enumeration and I found a deep sub-domain. Here is our target sub-domain. authtry.dev2.sandbox.dev.ppf.sony.net assetfinder -subs-only ppf.sony.net | httprobe authtry.dev2.sandbox.dev.ppf.sony.net Then, I used dirsearch for secret directories. The default page appeared. dirsearch.py -u "authtry.dev2.sandbox.dev.ppf.sony.net" -e html,json,php -x 403,500 -t 50 Also, phpinfo is an information disclosure. I submitted another report When I visit to index.php I got this page. As you can see we have 2 parameters and if you have parameters on the empty page, firstly try to get XSS. I tried get xss on the page and I got !! Also my favorite payload : Thank you !!! #security #xs #bug-bounty #bugs #bug-bounty-tips Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories