Pentest War Stories-ish
- Tadi
- Newsletter , Technical
- November 22, 2024
Table of Contents
šQuote of the week:
Always look for ways to chain bugs to increase the impact - one crit is cooler than two mediums.
Some bug bounty guy
What To Expect š«”
- How & Why You Should Escalate Your XSS š
- Actionable Research For Your Resume š
Always Escalate XSS š
Recently worked on a web pentest that had multiple tiers of usersāthe best type of application. Obviously, by the heading above, you know I found XSSāstored XSS, to be exact. Iām not always on the hunt for client-side vulnerabilities, but Iāll throw in a couple of payloads here and there to see if thereās any sort of reflection. This time around, there were multiple instances of stored XSS, and I found myself smiling from ear to ear.
I wonāt go into the intricacies of how to exploit XSS, but in an application with multiple tiers of users, if a low-level user (or any user, in fact) can store an XSS payload that gets executed by other users interacting with the applicationāyou can take over accounts.
This can happen in two ways: either set up your payload to make application level requests on behalf of the user or exfiltrate their cookie if attributes like HttpOnly and Secure are not set. HttpOnly is the main oneācookies can still be exfiltrated over TLS even if Secure is set.
If youāre doing bug bounty, some of these small items, such as HttpOnly being set to false, might not seem impactful on their own. However, if you take note of them and apply them to the broader context of the application, you can escalate a medium-severity stored XSS to a high/critical account takeover.
During this test, I was able to do bothāmake application-level requests on behalf of other users and exfiltrate user cookies to my testing server.
NOTE: Make sure you control the infrastructure you exfiltrate the cookies to. Do not use websites such as webhook[dot]site.Spin up a Python flask server, generate a self signed certificate using OpenSSL, and listen for connections.
Let me know if youād like me to do a bit more of a technical followup with my exact process and payloads - wasnāt sure if that would be interesting or not.
Actionable Research For Your Resume š
As for actionable research, since I was able to make application-level requests, I wanted to see if I could make internal requests. This was a bit of a stretch because I had no clue what the backend of the application looked like, but I still wanted to see how far I could get.
I tried various payloads, context switching, and all that stuff to see if I could reach anything internallyābut to no avail. I probably missed something, so I just noted it down as: XSS to SSRF?
Iāve seen some articles about it, but nothing seemed concrete. There are obviously instances where itās an easy bug chain, but what about the more intricate scenarios? Hereās my advice to you: instead of spending your hard-earned money on a certification that will take you six months to study for, take a month to dive deep into this topic and build case studies that show a repeatable methodology. Even if it doesnāt end up being repeatable, research that touches on edge cases is still valuable.
This will get you more attention than a cert probably will. If you donāt do it, someone else will. I know Iāll be circling back to it at some point.
I have got a lot more potentially valuable research topics I have noted down. Let me know if you would want me to do a video about these.
