Story of Interesting Bypass for recently resolved report on HackerOne.

3 years ago 218
BOOK THIS SPACE FOR AD
ARTICLE AD

Shantanu Kulkarni

Hello All amazing hackers out there. My name is Shantanu Kulkarni . I am working as Security Consultant and Lead penetration Tester at a Security Consultancy firm in India. Also am a part time Bug Bounty Hunter. First of all, Thank you for your great response on my first blog. This response inspired me to write about my one of the old and interesting finding. So without wasting time let us begin.

This one is a private program invite I have received in the month of APR 2021. As the program has good scope I accepted the invite and started looking at their domains, IPs and Live subdomains. When my recon process is going on, I generally spend time on understanding the target and sometimes simply google about it like “target.com vulnerability” etc. but haven't found anything special. Then I went to program page on H1 and saw many disclosed bugs are already there which can help me to understand more about the target. There was one recently (Feb 2021) resolved and disclosed report about XSS so I thought it can be perfect source of knowledge for me then, I immediately started reading it with out any assumptions.

The report was very straight and simple, popping up the user cookies with Script Tag. The only thing it was blocking alert keyword. It was fixed and awarded with bounty of 200$. Again, I checked its behavior and got to know that is is blocking alert and script Keywords now. So it can be poorly implemented input sanitization from Developers so needed to dig-in and check. Then I started crafting payload for it and using the “onload” function of an Iframe I was able to get cookies with pop-up again..!!

Timeline:

April 9, 2021: Private Invite and Reported within 30 mins of Invite.

April 12, 2021: Triaged.

May 21, 2021: Resolved and awarded. Received bonus of 50$ for writing good report.

Learning Lessons:

Check for old resolved reports of your target to understand the target.

Try to bypass the Fix for already resolved reports.

If you like my blog then you can always connect with me on Twitter.

Read Entire Article