Why u should use burp to test Path Traversal Vulnerability and also get RXSS

3 years ago 240
BOOK THIS SPACE FOR AD
ARTICLE AD

Yasser Mohammed (@boomneroli)

Hi everyone, It’s Yasser again (AKA Neroli)
I told you that me and my brother (who is 16 years old) was doing some bugbounty and we found those cool bug.

as always I picked a target which was interesting since it has a lot of functionalities and so easy to use, I don’t do a lot of recon so we just started to target the main domain,

my brother started to do random actions to understand how everything is working,
after some clicks now it’s time for some crazy things XD,

we started to do some directory brute forcing to get some endpoints,
while doing that my brother started to send random payloads for Path traversal, I also wrote small script to take screen shoot for every url,
but we didn’t got anything

until my brother started to check burp responses,

at this point my brother tried this url:

https://Target/material/profile/endpoint/{numerical_id}

so he started to append path traversal payloads to the id:

we know that we need to back 4 times to get into the main directory, so he tried this:

https://Target/material/profile/endpoint/{numerical_id}/../../../../

normally this request will lead us to the main domain: https://target
which happens when we load this url in brower, but in burp we got another response!

clicking show response in browser we got this

Directory Listing

my hypothesis is that the website is dealing with internal api that is vulnerable to Path Traversal and when the browser is sending the request so the flow as following

that’s why we got the different results when we used burp.

From here i started to dig more into this issue, browsing each of the discovered endpoints I found an internal endpoint which is responsible for formal emails templates

Email Template Preview UI

picking a template

inserting a simple xss payload and press preview I got and alert :)

XSS

hmmm, but as you can see it’s a self xss so we cannot do much about it.

I intercepted the request which is responsible for the xss and created a simple csrf poc to simulate the request and as soon as we open the page the xss is being executed

RXSS

as you can see the there is a Send a test Email which seems sends a test email to the company email from also company email so it’s so possible that the employees open it as a normal email:
i found that i none template i can insert a url so i inserted the RXSS url so as soon as the admin opens the email and click the button he will be redirected to the RXSS link and we got his cookies :)

Reset Password Test Email

Note that there is many templates so it’s not only reset password email we can send.

after sending the test email

the bugs firstly got N/A as usual XD,
then after small argument I showed the impact and got triaged and we got $700 :)

Moneeey
Me and my Brother telling each other we will work at fb XD

I hope you enjoy this write-up and wait for my Tips for new Bugbounty Hunters post.

Read Entire Article