Pentest War Stories-ish
- Tadi
- Newsletter , Technical
- November 22, 2024
Table of Contents
đQuote of the week:
Always look for ways to chain bugs to increase the impact - one crit is cooler than two mediums.
Some bug bounty guy
What To Expect đ«Ą
- How & Why You Should Escalate Your XSS đ
- Actionable Research For Your Resume đ
Always Escalate XSS đ
Recently worked on a web pentest that had multiple tiers of usersâthe best type of application. Obviously, by the heading above, you know I found XSSâstored XSS, to be exact. Iâm not always on the hunt for client-side vulnerabilities, but Iâll throw in a couple of payloads here and there to see if thereâs any sort of reflection. This time around, there were multiple instances of stored XSS, and I found myself smiling from ear to ear.
I wonât go into the intricacies of how to exploit XSS, but in an application with multiple tiers of users, if a low-level user (or any user, in fact) can store an XSS payload that gets executed by other users interacting with the applicationâyou can take over accounts.
This can happen in two ways: either set up your payload to make application level requests on behalf of the user or exfiltrate their cookie if attributes like HttpOnly and Secure are not set. HttpOnly is the main oneâcookies can still be exfiltrated over TLS even if Secure is set.
If youâre doing bug bounty, some of these small items, such as HttpOnly being set to false, might not seem impactful on their own. However, if you take note of them and apply them to the broader context of the application, you can escalate a medium-severity stored XSS to a high/critical account takeover.
During this test, I was able to do bothâmake application-level requests on behalf of other users and exfiltrate user cookies to my testing server.
NOTE: Make sure you control the infrastructure you exfiltrate the cookies to. Do not use websites such as webhook[dot]site.Spin up a Python flask server, generate a self signed certificate using OpenSSL, and listen for connections.
Let me know if youâd like me to do a bit more of a technical followup with my exact process and payloads - wasnât sure if that would be interesting or not.
Actionable Research For Your Resume đ
As for actionable research, since I was able to make application-level requests, I wanted to see if I could make internal requests. This was a bit of a stretch because I had no clue what the backend of the application looked like, but I still wanted to see how far I could get.
I tried various payloads, context switching, and all that stuff to see if I could reach anything internallyâbut to no avail. I probably missed something, so I just noted it down as: XSS to SSRF?
Iâve seen some articles about it, but nothing seemed concrete. There are obviously instances where itâs an easy bug chain, but what about the more intricate scenarios? Hereâs my advice to you: instead of spending your hard-earned money on a certification that will take you six months to study for, take a month to dive deep into this topic and build case studies that show a repeatable methodology. Even if it doesnât end up being repeatable, research that touches on edge cases is still valuable.
This will get you more attention than a cert probably will. If you donât do it, someone else will. I know Iâll be circling back to it at some point.
I have got a lot more potentially valuable research topics I have noted down. Let me know if you would want me to do a video about these.
