From P5 to P2 to 100 BXSS

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 12 hours ago · bug-bounty
quality 6/10 · good
0 net
AI Summary

A researcher escalated a P5 email verification race condition vulnerability to a P2 blind XSS by chaining it with a profile display feature that revealed unverified emails to administrators, ultimately achieving session hijacking and a $1000+ bounty.

Tags
race-condition email-verification-bypass xss self-xss blind-xss bug-chaining session-hijacking bug-bounty account-takeover web-security bragging-post
Entities
Mohamed Daher Bugcrowd xsshunter.com Burp
From P5 to P5 to P2, from nothing to 1000+$ (BXSS) | by Mohamed Daher - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original From P5 to P5 to P2, from nothing to 1000+$ (BXSS) Hey there, hope you will like this write up :) Mohamed Daher Follow ~4 min read · April 22, 2020 (Updated: January 8, 2022) · Free: Yes Hey all :) Hope you guys are good as always. As you asked for on twitter (make sure to follow me @D aherMohamed4 ) Here is how I was able to escalate this bug from P5 to P2 and got rewarded +1000$. So let's start. It was the same private program as my last write up. So I've been hunting on this program for a week already and already reported all my findings so I was struggling to find any more bug. But not seeing them doesn't mean they don't exist :) So I decided to start over and create a new account. When I filled all the details, they asked me to verify my email first but I could also change the email to another one in case I made a mistake. I directly thought about Race-Condition to use any email without verifying it. Here's how you can do it (we'll assume that we have access to [email protected] and we want to register with [email protected]) 1/ Add an email to the account and open the email with the verification link but don't click on it yet (In my case I added [email protected] and opened the mail they sent me) 2/ On the website click on "change email". Change the email to the one you want to use without verification but don't click on send link now. (Now I changed the email to [email protected]) [email protected] is a temp email Here comes the tricky part. You have to click on the verification link and change your email at the same time. You can do that without burp but you may have to try a few times before it works so here is a method to make it work every time: Start burp and turn intercept on Now open the verification link you received on [email protected] then switch tab and validate the new email on the website ([email protected]) then turn intercept off. Burp will forward the 2 requests together and that's what we want. [email protected] was verified and I could now login to my account. In this case what you should do is to register with [email protected], sometimes you can get access to some cool admin features. But unfortunately for me it wasn't the case here but I still reported it and as expected, closed as P5. Thanks Roy But huh who are we to give up ? Now we have to escalate this to give a valid impact in order to be a valid bug. After some minutes I tried to escalate this to XSS. Did the same process but instead of entering a fake email in the second step I entered : and XSS triggered. But since my email is private and only me can see it, this is a Self-XSS. So we went from Race-Condition (P5) to Self-XSS (P5). Now, what ? I remembered that this private program also had a forum dedicated to their site. I did the same process again but instead of entering a regular XSS payload I entered a Blind XSS payload. Mine was : "> (Tip : Use xsshunter.com tool to find blind xss) I then went to the forum, created a new weird thread (to be sure that the admin will delete it) and reported my own thread to be sure that the admins see it. Within hours I got an email alerting me that someone triggered my XSS. Reading the XSSHunter report : Triggered at : https://www.company.com/profile/XXXX Referer : https://forums.company.com/XX/index.php?/topic/123456--/ The admin saw my weird thread, then he clicked on my username → redirected to my profile → XSS triggered The reason why it triggered was that the admins had the feature to see the email of any user only by visiting their profile. I now had the session cookie of the admin and I could use it to get access to the internal panel. I directly opened a new report on Bugcrowd and some days later : So that's how I went from a P5 Race Condition to a P5 Self XSS to a P2 Blind XSS. Hope you guys learnt something new from this write up and if you have any question about this hit me up on twitter @DaherMohamed4 I will try to reply when I'm free. Take-away : 1/ If you'r able to use any email without verification, try registering with [email protected] you may get access to some admin features 2/ Always look for the highest severity. Here if the program accepted the bug as P4 I would get 100$ for that instead of 10x the bounty for the XSS 3/ When you find a P5 bug you may use it and chain it with another bug to increase the severity (tip 2), they are not always useless #bug-bounty #infosec #hacking #web-security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories