.png)
5 months ago
32 BOOK THIS SPACE FOR AD
ARTICLE ADThe target application is a web app that used express js as front end and it has webpack with sourcemap enabled so we can see the original source via browser inspect element. This application also use Oauth from the main app to login to this app.
While reading the front-end source code, I found a redirect parameter that is usually used after the user successfully logs in. This redirect parameter is included in the query string with the name to.
After some testing, when i add ?to=https://google.com it redirect to https://google.com. So it’s confirmed that it’s vulnerable to open redirect. But we won’t stop there.
I try to inject XSS using javascript URL (e.g javascript:alert(1)), but nothing happened. I continue to read the source code and found this interesting code.
Do you spot the vulnerability?
It’s on the replace function. You can check this documentation
The replacefunction only replace the first occurence if the parameter is of type string.
Why I said it’s CTF level XSS? Because I learn this technique in a CTF challenge that was using PHP and preg_replace function.
After get XSS executed, next i want to steal user bearer token. Fortunately, the bearer token is stored in local storage. So we can steal it using javascript:javascript:alert(localStorage.getItem("token"))
The CVSS scoring were using Hackerone 3.0 CVSS with environmental metric
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/CR:H/IR:H/AR:HFinal severity: High (7.4)
Bengali (Bangladesh) · 
English (United States) ·