Introduction
Hi everyone, and welcome to my latest blog post! Today, I’m excited to share with you the story of my first-ever bug discovery on a popular real estate website, which I’ll refer to as example.com for privacy reasons.
Discovering the Blind XSS
Just four months into learning about bug bounties, I managed to uncover a blind XSS vulnerability. This discovery allowed me to gain control over an admin page on example.com, marking a significant milestone in my cyber security journey.
What is Blind XSS?
Blind XSS is a type of Cross-Site Scripting vulnerability that occurs when stored or reflected XSS payloads are executed in a different part of the application, usually where the attacker cannot see the result directly. Unlike conventional XSS vulnerabilities, blind XSS can be harder to identify and exploit, as the attacker doesn’t receive immediate feedback. This makes it especially important for security researchers to use tools like XSSHunter to track the execution of their payloads.
The Turning Point
In the beginning, I tried basic tactics like injecting malicious code into files I uploaded to the website and using payloads as my name in my account. My breakthrough came when I used XSSHunter’s payloads in the site’s chat feature, where users ask for information about properties.
Notifications and the Big Reveal
A week after sending the payload, I received an email notification from XSSHunter that my payload had been executed on admin.example.com. The attached screenshot seemed odd, and as a beginner, I thought it was a false positive.
To my surprise, the same email notification kept arriving every week. Three months later, after learning more about XSS vulnerabilities and cookies, I decided to revisit that XSSHunter notification. Late one night at 3 am, I followed the link to a login page. I replaced the website’s cookies with the ones provided in the email, refreshed the page, and BOOM! There it was: the admin page.
POC
- Create an account on example.com and log in.
- Navigate to the chat feature where users ask for information about properties.
- Insert an XSSHunter payload in the chat message input field.
- Wait for an email notification from XSSHunter, confirming the payload has been executed on admin.example.com.
- Open the admin login page and replace the website’s cookies with the ones provided in the XSSHunter email.
- Refresh the page and gain access to the admin page.
The Impact
The vulnerability I found had serious implications for the security of example.com. It was caused by poor input sanitization in the site’s contact forms, allowing attackers to insert payloads instead of contact information and intercept cookies from the administrator who reads the message.
My attack was different from typical stored XSS attacks because it targeted an administrator, not just a regular user. This meant I could potentially cause more damage, such as taking full control of property ads, accessing client information, and adding payloads or phishing URLs into ad descriptions to hijack user accounts.
Conclusion
My first bug earned me a $1000 bounty, and I’m excited to share more discoveries with you. Follow me for more interesting stories and useful tips as we explore the world of cyber security together.