The $1,000 worth cookie

4 years ago 239
BOOK THIS SPACE FOR AD
ARTICLE AD

Verifying the XSS vulnerability.

One useful tip while testing for reflected XSS is to throw dangerous characters at the vulnerable parameter one at a time in order to determine which characters are being filtered out by the Web Application Firewall if present. Once you know which characters are filtered out and which are accepted, you are in a better position to craft a payload which will bypass the WAF. Luckily, that wasn’t the case with the application I was testing. Being the noob I was at the time, I did not understand the concept of context in relation to cross site scripting vulnerabilities. I tried to test the Cookie parameter by inserting the following payload into its value.

<script>alert(document.cookie)</script>

I clicked the response in burpsuite, selected “Show response in browser”, and then loaded the generated link in Firefox. I gave it a few seconds to load but once it did, there was no popup with an alert box revealing my cookies . I tried a couple of variations on my payload for about an hour longer before I decided to retire for the day having posted my issue on a Facebook bug bounty forum to try and seek help.

This is what the request and response looked like

GET / HTTP/1.1
Host: mail.ru
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: gp= some alpha numeric string;
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
200 OK
</script><script id="script:globals">var mr={:{BUILD:"307ad21",VERSION:1566410797,TIMESTAMP:1567848214281,TIMESTAMP_LOCAL: Date.now(),TIMEZONE:10800,AUTH:!1,CITY:"Кампала",REGION_ID:233, PAGE_ID: "15678651219031568689886875",ACC_CNT: false,MEDIA_ORDER:"regional,regional,auto,auto,lady,lady,deti,deti,health,health,sport,sport,cinema,cinema,hitech,hitech,games,games",INCUT_ORDER:"incut,stub",WIDGET_ORDER:"horo,tv,torg",FEATURE_ORDER:"auto,lady,sport,cinema,hitech,games",TARGET:"default",SITEZONE:15,SITEID:169,DEVICE:"desktop",BROWSER:"Firefox",PLATFORM:"Linux",REGION_LEVEL_ID:188,GP:"Payload gets reflected here ;",CSRF:"3b021e69c3bf49fe900037b18fc581be",MANUAL_REGION_NOT_RUSSIA:true,HONEYPOT: '.gridmain-col .tgb, .grid .grid_main-col

I got back to testing the next day when suddenly it occurred to me that I had to close the initial script tag then introduce a new tag. I quickly modified my payload to </script><script>alert(document.domain)</script>

fired the request and observed it get properly reflected in the response.

Image for post

Image for post

Loading the response in the browser finally popped the alert box and the domain upon which the XSS had been triggered on for the above payload.

Image for post

Image for post

Output for payload revealing user’s cookies

I reported this to Mail.ru and was somewhat skeptical about it being rewarded since it appeared to be a self-XSS issue at best. However, my hopes were raised after reading up on a couple of reports where bug bounty hunters had demonstrated to Mail.ru that the Man-in-the-middle attack vector could be used to deliver attacks to legitimate user’s- taking advantage of vulnerable cookie parameters in their website infrastructure. I have included a link for further reading at the end of this writeup.

Timeline:

September 7, 2019 — Reported.

September 8, 2019 — Triaged.

September 26th,2019 — Bounty awarded

September 27th,2019 — Issue Fixed

Link to my HackerOne report https://hackerone.com/reports/690072

For further reading please check the following informative medium story from Max:

Read Entire Article