Hi there! As an avid bug bounty hunter, I always look forward to weekends to participate in different programs and discover vulnerabilities that can help make the internet a safer place. One particular weekend, I received an email from one of the private companies I regularly participate in, informing me that they had updated their infrastructure.

As you may know, when a company updates its infrastructure, it presents an opportunity for bug hunters to dig deeper and find new vulnerabilities. With this in mind, I immediately started my recon process to identify any potential vulnerabilities in the updated infrastructure.

Since many hunters were already looking for bugs in the same domain, I knew that finding something new could be a game-changer. I was determined to leave no stone unturned and to find something unique that could earn me a good bounty

During my reconnaissance process, I used a directory brute-forcing tool, such as Dir-search, to try and find any admin access to the updated infrastructure. After some searching, I found that accessing the URL /admin would automatically redirect me to /carbon/admin/login.jsp, which looked like a potential login page for an admin panel.

I attempted to use various login bypass and admin panel takeover attacks to gain access to the admin panel, but unfortunately, none of them were successful. At this point, I decided to do some research on /carbon/admin/ and assumed that the backend of the application may use a plugin, CMS, or framework that was causing the redirect.

After some Google searches, I found that the application was using the WSO2 Management Console, and I also came across information on a potential vulnerability, CVE-2020–17453, which was a reflected XSS vulnerability. However, I had over 35 subdomains to test, and I could not manually test each one for the vulnerability.

XSS (Cross-Site Scripting) is a type of security vulnerability in web applications where an attacker can inject malicious scripts into a web page viewed by other users. The malicious scripts are typically executed in the browser of the victim user, allowing the attacker to steal sensitive information, such as session cookies, login credentials, or personal data.

There are several types of XSS attacks, but the most common type is called “Reflected XSS.” In a Reflected XSS attack, the attacker sends a malicious link to a victim user, which contains a script that is executed when the victim user clicks on the link. The script is then reflected back to the victim’s browser by the server, which allows the attacker to execute the script in the context of the victim’s session.

CVE-2020–17453 is a Common Vulnerabilities and Exposures (CVE) identifier assigned to a reflected cross-site scripting (XSS) vulnerability that was discovered in WSO2 Carbon versions prior to 4.4.13, 4.5.0 to 4.5.7, 5.0.0 to 5.0.4, and 5.1.0 to 5.1.5. This vulnerability allows an attacker to inject and execute malicious code on the victim’s browser by tricking them into visiting a specially crafted URL, leading to potential data theft, cookie hijacking, or other malicious activities.

To automate the testing process, I created a script using Node.js to test each subdomain for the CVE-2020–17453 vulnerability. Finally, I hit the jackpot, and the script identified one of the subdomains as vulnerable to the vulnerability, providing me with an output containing the payload.

My process for performing security testing involves several steps.

1. Step one: First, I start by finding subdomains and subdomains of subdomains. To do this, I use a tool called assetfinder for enumeration. However, since many bug hunters use this same tool, I also perform subdomain brute forcing to get unique additional results. For this, I use a tool called subsleuth which is designed for subdomain brute forcing and subdomains of subdomain discovery.
2. Step two: Once I have a list of subdomains, I check for active and live domains. To do this, I use the httpx tool.
3. Step three: While the automation tool is running, I also conduct manual attacks. To facilitate this, I load all the recon data into Burp using a tool called burpflow. This creates a proxy and loads the data into Burp in just a few seconds, allowing me to easily conduct manual attacks.
4. Step four: Now, I am attempting content discovery and directory brute-forcing using the Dirsearch tool. After running the tool, I discovered that the URL /admin is showing a 301 redirect to /carbon/admin/login.jsp
5. Step five : Now, I am utilizing CVE-2020–17453 and loading all the scoped domains into this tool.

Upon confirming the vulnerability, I made the decision to release the tool as an open-source resource, allowing other cyber security enthusiasts to leverage it and identify similar vulnerabilities in various websites and applications.

Tool Info

Github Link : https://github.com/karthi-the-hacker/CVE-2020-17453

conclusion

It is important to note that this vulnerability has since been patched in the affected versions of WSO2 Carbon. However, this serves as a reminder of the significance of regularly updating and patching software to avoid such vulnerabilities and threats. As security professionals, we must remain vigilant in our efforts to identify and mitigate potential security risks to keep our digital world secure.

https://medium.com/bugbountywriteup/from-payload-to-300-bounty-a-story-of-crlf-injection-and-responsible-disclosure-on-hackerone-eeff74aff422

Twitter: https://twitter.com/karthithehacker

Instagram: https://www.instagram.com/karthithehacker/

LinkedIn: https://www.linkedin.com/in/karthikeyan--v/

Website: https://www.karthithehacker.com/

Github : https://github.com/karthi-the-hacker/

npmjs: https://www.npmjs.com/~karthithehacker

Youtube: https://www.youtube.com/karthithehacker

Thank you

Karthikeyan.V