Introduction:
The article is about a bug on a private program which I found. The bug reported was a stored xss through AngularJS CSTI. I’ll be sharing my mindset and what I experienced when found this vulnerability.(Might not be for experts, I’m a beginner so please leave your suggestions in comment and Sorry for the bounty bait it’s $800 for each endpoint)
Mindset:
So I was hunting on this application built with different technologies and many user roles.
Different User Roles — Check
Many functionalities — Check
Many Technologies used— Check
It ticked my checks for a perfect application a Pentester/Bug bounty hunter would love to test on.
Tip: When testing a application, go as deep as possible i.e test every button, every functionality and every single thing that is accessible.
U29ycnkgZm9yIHRoZSBib3VudHkgYmFpdCwgSSdtIGRvaW5nIGl0IHRvIGdldCBhIGdvb2QgcGF5aW5nIGZ1bGwgdGltZSBqb2IgdG8gYmUgaG9uZXN0
I tried enumerating all the functionalities that the application has first and got a basic idea of how it works , what it does and what each user role is supposed to have access to.(This is really important)
Then I just tried checking IDOR/Access controls through Autorize(I’m really grateful to the people who built it) but couldn’t find any.
So I just went ahead and started testing for XSS. I tried testing all the inputs available for CSTI payload {{7*7}} since it’s AngularJS.
Strangely, When I first tested for it, I didn’t reflect as intended(49). After more testing, I found that the application has different parts and some parts weren’t based on AngularJS 1.5.9(remember the diff technologies I mentioned).
There was a search field which triggered the payload and got the result as 49. I was like
There was a problem though, the search was through post request so not a get parameter to edit.I thought of doing a POST based reflected xss too but there was a CSRF token so tried CSRF bypasses but didn’t work.
I was like what am I supposed to do now. Then I started finding inputs that were stored. I started first collecting all the places where I could store and started testing them out. I was like “I’ll have to give my 100%”
BTW, this was on a private program .And sorry that I can’t share any screenshots since it’s all private.
Getting back, the places where it stored didn’t reflect at first but after few steps(like second order ,input gets stored in one place and gets triggered in other). I was like hmm…Nice!. I edited the payload
{constructor.constructor(alert(1)}to alert the cookie value and though it did have secure and httponly cookie. It had a duplicate of all these cookies without the flags set.
TIP: When you find a vulnerability in one endpoint try to find the same in all others endpoints too.
I found 5 places where it got triggered and reported all the endpoints for maximum coverage.
And I just didn’t wait for the qr to end to see other submission. Just went to sleep since it was too late already. I didn’t think much if it’ll be accepted or not. My thought was like to do my best in preparing report. I went to bed with a the feeling of all being rejected doubting my report quality.
Though I tried to sleep, the adrenaline rush didn’t let me sleep and I was checking my mobile for status of it every 2 hours in between naps. And In the morning like around 5 AM, I checked my mail and I was like
I too can do it. 4/5 reports competed and won the qr round and received $$$ each.The first person I shared this was my mom. I went to my mom and shared this waking her out of bed in half sleep. The happiness on my mother’s face made it worth all the effort.
Timeline:
Hunt: 6pm-8pm
Report: 8pm –9pm
Accepted: 5 A.M
And now back to this feeling
, till I find my next bug.
The bug might be simple but the process of finding it in all the places, writing the report a good quality report is not that easy. Thanks a lot for reading my article, hope it helped you in some way.
I’m currently looking for a full time job role as Red team/Web application Pentester, please reach out to me if you have any opening.
