My first bugs in 2024

Hello everyone, In this article, I will explain how I found 4 bugs from a program in bugbounter in the first days of 2024.

Domain:target.com

I first visited target.com and started spending some time on the site.

This is very important because the more time you spend on the target site or target application, the better you understand the site and the more bugs you will find.

→target.com/profile

I visited target.com/profile and clicked edit profile. Then I put “123<>” in the profile description, then I checked the page source and there was no filtering or waf.

HTML Payloads:

<imgsrc=”https://static.wikia.nocookie.net/mrbean/images/4/4b/Mr_beansholiday_ver2.jpg">
<h1>el-cezeri — First bugs in 2024 :)</h1>
<a href=https://attacker.com>Click Me !</a>

And I visited the link target.com/profile/username from a second account.

I’m still spending time on the same domain. I then clicked on the target.com/dashboard page.And here users could create posts and share them publicly.

First I created a post “123<> but there were blocks for some characters.

only some tags were working, for example when I put the <script> tag or the <a href tag it was removed. Later, when creating a post, I realized that we can create posts with SVG file extension.

I quickly uploaded my SVG file containing my XSS Payload and created a post.

example svg file:https://gist.github.com/rudSarkar/76f1ce7a65c356a5cd71d058ab76a344

https://cdndn.target.com/images/helloworld.svg

And the svg link was like this XSS was successfully triggered when the image was opened in a new tab or when the url was visited.

sometimes it doesn’t allow svg, so capture the request with burp and set the file extension to svg.png or you can try changing the content type header. :)

Then I realized that other tags like <script> etc. were blocked and when I tried the following load, the xss worked successfully :)

“><img src=x onerror=alert(“cezeri”)>

→target.com/dashboard

I created a post and then I realized that other users could share or like my post on their social media accounts.

The link was like this: twitter.com/POSTID ,or when I like the post, I catch the request with burp and I can find out the post ID.

“code”:POSTID

I then tried to delete the post I created and with burp I caught this request. I replaced the victim’s post with the ID number. I can successfully delete the post I want.

These were the first bugs of the year for me. I found these bugs in a VDP. and I reported 4 bugs. 3 of them were accepted. Try to spend more time on the target and try to understand every function.