.png)
5 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
Have you ever found a vulnerability just by looking at the target source code? If not, let me tell you about my experience.
This discovery began when I examined my target’s source code for resources that might lead me to a vulnerability.
At that moment a code caught my attention, the code looked like this:
<!-- Custom Meta --><meta name="DeviceType" content="desktop">
<meta name="UserAgent" content="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36">
<meta name="IpAddress" content="182.x.xxx.xxx">
<meta name="Rating" content="General">
You can see here that my user agent and IP are reflected in the source code.
then I immediately turned on Intercept burp suite to intercept requests and change my user agent valuethen I immediately turned on Intercept burp suite to intercept requests and change my user agent value.
But here I get 403 Forbidden when I change the user agent value to any string, for example: test, xxx, testing etc.
Not giving up at this point, I thought what if I changed my IP address to a payload ?
What I’m thinking about here to change the “IpAddress” value is to add an X-Forwarded-For: header, because I don’t think it’s possible to change my IpAddress to an Xss / html payload😂.
The X-Forwarded-For header is used to record the original IP address of clients accessing the server through a proxy or load balancer. For example:
X-Forwarded-For: 192.168.1.100, 10.0.0.1This helps the server identify genuine clients for logging, security, or analysis. However, this header can be manipulated, so it must be used with caution.
Let’s try changing the IpAddress value by adding the X-Forwarded-For header.
After seeing that I could change the IpAddress value, of course what I thought was trying the htmli or xss payload.
The payload I use:
X-Forwarded-For: evil.com”><h1>okay</h1>
Maybe the developer only validates the userAgent value, not this one.
There are no character filters here even though this web application has waf installed (Cloudflare).
Let’s try Xss🔥
As I said, there are no character filters of any kind here, in stark contrast to the protection of the User-Agent value.
After getting all this I thought what if I try to read the internal file with the iframe tag?
After trying this idea I got nothing😥.
Lastly I tried ssrf using the iframe tag, but there’s nothing interesting here.
Payload : X-Forwarded-For: <iframe src=”http://burp-collaborator”>
After feeling this was enough, I immediately reported my findings to the web owner, and they responded well.
rewards? still being processed.
Maybe that’s all I can share this time, hopefully in the future I can share other interesting things.
X : Ghee1337
Telegram channels : https://t.me/bugbounty_reference
Bengali (Bangladesh) · 
English (United States) ·