Skip to main content

Featured

Stealing CSRF tokens using XSS on Signup page

I'm assuming everyone reading this blog post know what CSRF and XSS are.If you don't, having a quick search on google can yield you many results. While crawling for vulnerabilities and searching on google, navigating through pages. I finally landed on a website. As per disclosure policies I'm not allowed to disclose the company/website. So lets use REDACTED.com. Doing recon using passive and active techniques. I found no sub-domains , no low hanging vulnerabilities. Every mechanism works pretty fine or may be I missed something. After hours of testing, signup page caught my attention. I was like "How did I miss this..." Navigated to https://www.REDACTED.com/signup After analysis, the url input fields are vulnerable to XSS. But it turns out to be useless because it's on signup page.I though of exploiting it. First I registered an account and verified it using the confirmation link I received in my inbox. I navigated to prof
Post a Comment
Read more
Labels

Low Hanging Fruits #3


Grabbing : Low Hanging Fruits #3

This tale is about How I was able to pluck XSS hanging between lines.
While I was fuzzing through the site REDACTED.com, I came across this
URL : https://www.REDACTED.com/index.php?path=account/xyz

Remember the rule ?
"RULE TO RULE : ALWAYS INSPECT THE SOURCE"


Failing to resist my temptation, I inspected the source, It took a while and I saw this in the source code:
And I'm like :
So I tried to inject code to trigger XSS by breaking the route_url and creating an alert to test.
Vulnerable parameter  : ?path=

From the source we can see that the value of parameter path in the url is reflected in the source.

In URL :
--> ?path=account/xyz

In source :
--> <script type="text/javascript">
       route_url='account/xyz';    
      </script>

whatever the value I give to the parameter (?path=) it's getting reflected in the source between <script> tags.
So you can Inject malicious javascript code for the parameter (?path=) amd that gets directly
tailored between script tags and you know, code between <script>  tags is javscript and it executes, therefore leveraging XSS.

I tried to exploit this behaviour :

In URL :
--> ?path=account/xyz';alert('xss')//      <!-- I used single quote(') to break the route_url -->

In source :
--> <script type="text/javascript">
       route_url='account/xyz';
       alert('xss')//                                    <!--Broke out from route_url and create a new alert statement-->
      </script>

This successfully triggered XSS .


To report before it becomes duplicate.

RULE 3# : Report quickly(ASAP) once you find the Vulnerability.

Reported and got some decent bounty.

See you soon.

Hare krishna.

@signing off
-Varun


Labels:

Comments

Post a Comment

Popular Posts