Found Bug: Cross-Site Scripting (XSS) in Laravel Debug Mode !!

Hello Hunters !! Hope you all are doing well.

Intro: I am p_ra_dee_p whom you all know as Professor0xx01, a security researcher passionate about making the web safer. Today I am going to explain about how i find Reflected- Cross-Site Scripting (XSS) in multiple web sites via the Laravel Debug Mode. So, let’s start digging into it……!!!!

Bug :: Cross Site Scripting (XSS) :: HIGH

During enumeration of scoped domains (*.target.com), i have detected that there is running Web Framework called “Laravel”.

After some directory enumeration I found an endpoint here: “/_ignition/execute-solution”. It was giving 405 Method Not allowed.

After browsing that endpoint, it was throwing an error page which looks like that the Laravel Ignition Debug Mode is enabled.

After spending some times & searching some instances, i got an endpoint which is vulnerable to Reflected XSS in this Laravel Web-framework.

The “Laravel Ignition — Cross-Site Scripting” module is designed to detect a cross-site scripting vulnerability in Laravel Ignition when debug mode is enabled. Laravel Ignition is a debugging dashboard specifically built for Laravel applications. This module focuses on identifying and reporting the presence of a high-severity cross-site scripting vulnerability in Laravel Ignition.

After that, i inserted that same payload & it’s happened which about you are guessing !! I have successfully triggered the alert from that Laravel Web-Framework Debug Page!!

In this same way, i found 3+ Reflected — Cross-Site Scripting in multiple domains scoped under the assessment.

Then I made an Instant report about this security vulnerability & send it to #NCIIPC Team !! …………Waiting for their Response !!

That’s it for this Article now !!

THANKS FOR READING !!

Hope you guys enjoyed it !! If you like, then clap & follow me for more insightful articles !!

Happy Hunting ~~

Keep Growing & Keep Securing ~~

#Bug Bounty #VDP #BBP #OffSec #InfoSec #Web AppSec #Security