.png)
4 years ago
164 BOOK THIS SPACE FOR AD
ARTICLE AD
During your bug hunting adventures, you may find yourself deep in the cyber mud. Shower of ones and zeros getting you soaked. Failed payload after failed payload making you miserable. Hitting a wall, and I don’t mean firewall, I mean the wall that gets you truly stuck. And, you may think, this is one of those walls that can’t be bypassed, it’s not a waf, it’s mental wall. This article will show that at times there are ways to bypass even those types of walls.
The wall:
A new bug bounty program. How exciting. The endless possibilities of finding all kinds of bugs. Different challenges, but different security holes, possibly, hopefully.
I went in ready for action. I clicked things, I observed my burp history. I tried to understand how the website in question functions. What is its role? How is it meant to be used? How is it meant to respond to users’ activities? And similar, very important questions if you really want to find bugs.
Until… Nothing there. I clicked everything, I tried the usual xss payloads, I tried django related bugs (because the website was built on django), I tried fuzzing user inputs that seemed promising. I found some silly bugs, but too small to matter. There was nothing, and yet, the complex functions, the amount of functions, how could that be? What was I missing? Was it something that I simply couldn’t figure out? A single grain of doubt turned into an insurmountable wall with rough edges, and surface unsuitable for an unskilled climber, that I suddenly saw myself as. I was not good enough.
The dynamite that made a decent hole in the wall:
If you’re truly serious with bug hunting, then you can’t really afford to just leave the target, and figure you’ll sleep on it. Not on its own. That’s where twitter comes handy.
After giving up, temporarily, on the target website, I readied a movie to watch, and just before starting it, I figured, let’s see what new things twitter has to offer. And, by new things, I mean news about bug bounties, some tips, new payloads, interesting write-ups, etc. For this, I follow the usual folks from bug bounty hunting community. But, I also follow those accounts that just retweet others. One can never know what unexpected piece of useful info can come from there.
In my case, I scrolled through my twitter feed not expecting much. I figured, let’s bookmark some interesting write-ups, maybe new bypasses for those pesky waf-s, and get back to the movie. But, to my surprise, somehow I stumbled on this tweet:
Being that it was xss in google anything, I immediately clicked on the link to see what magical payload did the trick. What I found instead made me leave the movie watching for later because it was about Jupyter Notebook. And, the target website had Jupyter Notebook as well.
Being that it was xss in google anything, I immediately clicked on it to see what magical payload did the trick. What I found instead made me leave the movie watching for later because it was about Jupyter Notebook. And, the target website had Jupyter Notebook as well.
Mr. Gorbachev, tear down this wall:
As I was cleaning up the gravel from the mostly broken wall, I kept reminding myself that this may or may not work. But, not to lose patience, and to pay attention to the bug as described in the link. Also, that I should take into account that implementation of Jupyter may be different in the target website.
I first verified that there was necessary support for the xss payload as described in the link.
OK. The support was there. The affected part was MathJax. But, there was always a chance that it might have been patched at some point. In other words, it was time to make it or see the wall being rebuilt.
PoC:
I entered the payload:
and voila:
After reloading the page I noticed that xss got triggered again, which meant, stored xss achieved, and with ability to share the xss-ed notebook, well, you get the point — it meant a good thing for my bug report. I did refresh the page a few more times, logged out and logged in, just to verify that it wasn’t some temporary encoding/decoding… it wasn’t :)
Bengali (Bangladesh) · 
English (United States) ·