Bypassed the Amazon CloudFront Logic and got XSS at the National Weather Agency of the U.S.

Har Har Mahadev🔱. This is Prince roy, a security researcher also known as Royzsec. Back again with another blog about how I was able to bypass the Amazan Cloudfront firewall’s logic and get XSS [cross-site scripting]. Are you guys excited to know how I did it?

So, at first, I collected all the live subdomains of weather.gov via Subfinder and HTTPX.

Bearly, I remember finding this XSS in the 9/10th subdomain. I lost that source code; otherwise, I could explain very easily what the logical error was in their CloudFront setting.

That was the domain [training.weather.gov]. I found the GET base RXSS on this page. When reading the source, they just used a lope where 1–6 PCU pages are showing. When I put :

I found nothing on that page

Then tried to find out the SQL injection, but that didn’t work. Because they are using Amazon CloudFront.

Moreover, I also tried :

Until ?unit=6 was protected by Amazan CloudFront. But whenever I put unit=7, it bypasses the logic and is reflected on the screen.

I was shocked to see that because it was unexpected because it was just a logical error. Then I put in the XSS payload, and guess what?

Boom! Got XSS. It was just a logical error. The developer made the mistake of building logic to retrieve the data from the database.

Finally, thanks for reading my small blog. If you like this, please share it with your friends and press the clap button for me, which inspires me a lot.

Please follow my social media platforms:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Github: https://github.com/royzsec

Twitter: https://twitter.com/royzsec