From P5 to Payday $$$: Escalating Reflected XSS to Account Takeover

The thrill of the hunt. The adrenaline rush of uncovering a hidden vulnerability. The sting of a P5 rating. Bug bounty hunting is a roller-coaster, and sometimes, the most exhilarating rides start with the bumpiest beginnings.

This is the story of one such ride. In this post, I’ll share a journey that demonstrates the power of escalating a seemingly minor reflected XSS vulnerability into an impactful discovery, ultimately earning a $500 bounty.

The Payload:

To confirm the vulnerability, I injected the following payload into the password reset field:

This successfully triggered an alert displaying the user’s cookies, demonstrating the presence of XSS.

The Initial P5 Rating:

While the XSS was a valid finding, it was initially classified as P5 (Informational) by the Bugcrowd team, indicating a lack of immediate, exploitable risk. This meant it was ineligible for a bounty reward.

But something in me wouldn’t let go. This bug, though seemingly insignificant, felt like a piece of a puzzle. I needed to see the bigger picture.

Determination and Further Exploration:

Undeterred, I heeded the team’s encouragement to explore potential escalation paths. I dove deeper into the application’s structure and functionality, seeking ways to amplify the impact of the XSS.

Discovering the Sessions Page:

During my reconnaissance, I stumbled upon a hidden page residing at https://example.com/sessions. This page intriguingly displayed session IDs and associated session data, raising suspicions about its purpose and security implications.

Unveiling the Session Data Flaw:

Upon further analysis, I unearthed a critical flaw: the sessions page was inadvertently disclosing sensitive user information, including usernames and passwords, directly tied to their respective session IDs.

The gears in my head started turning. Could this be the missing piece? Could I use the XSS vulnerability to steal a user’s session ID

Crafting the Account Takeover Payload:

Recognizing the opportunity, I meticulously constructed a new payload that leveraged the XSS vulnerability to achieve a full account takeover:

The payload would stealthily extract the victim’s session ID and transmit it to the attacker.

The attacker, armed with the stolen session ID, could then access the sessions page and view the victim’s sensitive credentials.

Account Takeover Achieved:

With this strategic payload deployment, I successfully demonstrated the ability to execute a complete account takeover, showcasing the severe implications of the initially underestimated XSS vulnerability.

The feeling of accomplishment was indescribable. I had taken a seemingly insignificant bug and transformed it into a security breach worthy of a hefty bounty. But more importantly, I had learned a valuable lesson: never underestimate the power of persistence and creative thinking.

Bounty Award and Key Lessons:

The Bugcrowd team promptly acknowledged the escalated finding and its heightened impact, awarding a $500 bounty. This experience reinforced several invaluable lessons:

Never Underestimate P5s: Even seemingly minor vulnerabilities can often serve as stepping stones to more critical exploits.

Persistence Pays Off: Obstacles and initial setbacks are common in bug bounty hunting. Tenacity and a willingness to explore alternative pathways are essential for success.

Understand Application Logic: Delving into the application’s inner workings empowers you to identify potential chains of vulnerabilities and amplify their impact.

Write Comprehensive Reports: Effectively communicate the real-world consequences of your findings to secure appropriate recognition and rewards.

Bug bounty hunting demands patience, ingenuity, and a keen eye for detail. By embracing these qualities and persistently seeking opportunities to escalate vulnerabilities, you can transform seemingly insignificant findings into significant rewards, making a tangible impact on the security landscape.

subscribe for more at Hasanka Amarasinghe :)