My first XSS Challenge which hosted by bugpoc.com

4 years ago 274
BOOK THIS SPACE FOR AD
ARTICLE AD

Vaibhav Kamdi(barood)

Hello there,

It’s my first writeup on bug-bounty so I am really sorry if I have made some mistake. This blog is a POC of XSS challenge which hosted by bugpoc.com. This POc is specially for those people who want to get success in bug-bounty and How their efforts helps them to reach towards the success in bug-bounty.

Why should I share a POC with you which is already available on twitter.com

2. How did I get alert popup on *.buggywebsite.com

Image for post

Image for post

The reason behind my 1 Que. :

The way of every bug-hunters methodology and mindset is different. Whenever we looked any program/challenge, our approached is different. So in that challenge my works was only to get alert(document.domain) on https://dogs.buggywebsite.com/

But How ??

I first looked the behavior by intercepting the request and send it into Burp-Repeater. There is a search option for finding the name of any Dogs breed.

So I simply searched Labra and intercept the request in Burp-Repeater.

Image for post

Image for post

I looked that there is no any parameter in url for searching the breed name. So I checked in repeater and understood that they used a json parameter “searchTerm” for searching.

Image for post

Image for post

So it’s questioning for me How did it works ? I looked into the page source and understood the game challenge. There is AJAX method for searching a breed name.

function doSearch(item) {

url = 'https://api.buggywebsite.com/search'
var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function() {
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
response = JSON.parse(xmlHttp.responseText);
populateTable(response);
}
else if (xmlHttp.readyState == 4 && xmlHttp.status != 200) {
console.log(xmlHttp.responseText);
}

}
xmlHttp.open('POST', url, true);
xmlHttp.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
xmlHttp.setRequestHeader('Accept', 'application/json');
data = {'searchTerm':item}
xmlHttp.send(JSON.stringify(data));

}

In the given code if I bypassed the if method on https://api.buggywebsite.com then obviously execute else if method and that’s my task.

I try with different variation in search box but it’s not working, my searchTerm like: labra”,”value”:”<img src=x onerror=alert(document.domain)>

and after understanding the bypassed method, above searchTerm made a lol for me.

The else-if execution is possible when the HTTP response is not equal to 200. So I need a 3XX, or 4XX response for it.

If I changed xmlHttp.setRequestHeader(‘Accept’, ‘text/html’); instead of xmlHttp.setRequestHeader(‘Accept’, ‘application/json’); then the alert will be popup, So I go on Burp-Repeater and changes Accept.

Image for post

Image for post

and it’s successfully exploited after I clicked on show response in browser, copy the link and paste it in browser.

I failed to submitted in given time period, but my earlier efforts helps me to understand the real scenario.

So never feel discourage if your bug reports is NA, Duplicates or Informative. Just do the works from your side, Sooner or later it works because bug-bounty is a race, So you need to practice with different approach and your favorite methodology. Hungry for knowledge is good with hungry for money.

I hope you had fun reading this, If you want, you can follow me on my social accounts:

https://twitter.com/kamdi_barood

Thanks and Regards,

Vaibhav Kamdi (barood)

Read Entire Article