BOOK THIS SPACE FOR AD
ARTICLE ADThis is a Bug that i found in a private bug bounty program and resolved i will share what i found and how i exploited it
Reflected XSS or reflected cross site scripting is a bug that allow attacker to run malicious code on user browser
Imagine a website with a search functionality for the products in webapp. If malicious user crafted a malicious javascript code and fire a search with this code. If the webapp not validating user input the vulnerable webapp will take this payload as code instead as string.
Webapp unaware of the danger and simply shows the user input (in this case malicious js code) what ever you typed in the search bar including hidden code. Here’s the critical part . Because of website is trusts user input and shows it in the website the browser also trust the input and will execute it.
If the vulnerable http request is GET it is easy to exploit it. But in my case it was a POST. Exploiting XSS via POST Request is tricky but it is still possible.
GET Requests: In a GET request, the data you submit (payload) is visible in the URL. This makes it easier for attackers to craft a malicious link to trick someone into clicking it.
POST Requests: With POST, the data is hidden within the body of the request, not displayed in the URL. This makes it harder to directly trick someone into submitting the payload.
Cross-Site Request Forgery (CSRF): This is a separate vulnerability, but it can be chained with XSS via POST. An attacker might trick the victim into unknowingly submitting a malicious POST request to the vulnerable website.
In this case i need to exploit csrf to trick the user, website and browser.
In essence, exploiting XSS via POST relies on getting the victim to submit the payload unknowingly. It requires more effort than a simple click on a malicious link, but it’s still a danger.
Here i will give you details about this bug and how i was able to exploit it.
Username parameter in the https://redacted.com/forgotpassword.jsp can be exploited via CSRF.
Steps
Go to https://redacted.com/forgotpassword.jspAnd type following payload on username field<script>alert(document.cookie)</script>3. You will see a pop up contains session cookie
After typing some random username and click submit we can see the url will be change from this https://redacted/forgotpassword.jsp to this https://redacted/forgotpasswordServlet
https://redacted/forgotpasswordServlet endpoint also have Reflected XSS vulnerability but this a POST request directly accessing this url give us a error that saying
Error 405: HTTP method GET is not supported by this URL
But a attacker can exploit POST form XSS through CSRF
<html><head>
<body>
<form action="https://redacted/forgotpasswordServlet" method="POST" target="csrf-frame" id="csrf-form">
<input class="username" type="hidden" placeholder="Username" size="20" name="username" value="/<script>alert(document.cookie)</script>">
<input class="password" type="hidden" placeholder="email Id" size="100" name="emailId" value="password">
<input class="login" type="submit" name="submit" value="submit">
</form>
</body>
</head>
</html>
Attacker will able to host this code in his server and send the url to victim
Victim visits the url and redirected to vulnerable website with malicious data and runs the malicious code in client side.
This malicious code can do various nasty things, depending on what the attacker designed it for.
Here are some examples:
Steal your login information for the website (like stealing cookies).
Show you fake content or advertisements (like changing the product search results).
Take control of your browser for a short time (like making your browser download malware).