XSS Challenge which hosted by bugpoc.com

4 years ago 242
BOOK THIS SPACE FOR AD
ARTICLE AD

Ali TÜTÜNCÜ

Hello there,

In this article, I will share how did I get alert on my target. It was http://dogs.buggywebsite.com/.

I visited the website and I saw a search bar. I thought xss is there!

Image for post

Image for post

I tried search something, that’s why wrote “A”. It listed dog breeds which starts with “A”. Response:

Image for post

Image for post

Something caught my attention. I couldn’t see any parameter on the url. Interesting! Then I tried list the subdomains, maybe I can get more information etc. but I saw it have only two subdomains:

http://dogs.buggywebsite.com/http://api.buggywebsite.com/

I wanted to check request and response when I search a text. I opened Burp Suite and I put “A” to searchbox. Request & Response:

Image for post

Image for post

It was a normal json response (Content-Type: application/json). If I want to get the alert, it must be text/html! I tried to change the Accept header with text/html (It was application/json).

Image for post

Image for post

And Content-Type changed as text/html, successfully. Yay! Next step is getting domain name via alert. I tried a simple payload: <script>alert(document.domain)</script>

Image for post

Image for post

And boom, P1! Haha :D. Successfully exploited. I created a poc using https://bugpoc.com/.

Image for post

Image for post

Here is the poc code: https://pastebin.com/7nZvm6Cv

I hope you had fun reading this. If you want, you can follow me on my social accounts:

https://twitter.com/alicanact60

Also you can follow https://bugpoc.com’s twitter address:

https://twitter.com/bugpoc_official

Read Entire Article