As a cybersecurity enthusiast, I always keep an eye out for potential vulnerabilities in popular websites and applications. Recently, I stumbled upon a reflected XSS vulnerability in LinkedIn .

What is XSS ?

XSS (Cross-Site Scripting) is a type of security vulnerability in web applications where an attacker can inject malicious scripts into a web page viewed by other users. The malicious scripts are typically executed in the browser of the victim user, allowing the attacker to steal sensitive information, such as session cookies, login credentials, or personal data.

There are several types of XSS attacks, but the most common type is called “Reflected XSS.” In a Reflected XSS attack, the attacker sends a malicious link to a victim user, which contains a script that is executed when the victim user clicks on the link. The script is then reflected back to the victim’s browser by the server, which allows the attacker to execute the script in the context of the victim’s session.

What is CVE-2021–31589 ?

CVE-2021–31589 is a vulnerability that allows attackers to execute malicious code on a user’s system through a specially crafted URL. This vulnerability affect BeyondTrust Secure Remote Access Base Software version 6.0.1 and earlier versions. Essentially, this means that an unauthorized person could insert malicious code into the software, potentially leading to unauthorized access to sensitive data .

The tactics I use for recon

My process for performing security testing involves several steps.

1. Step one: First, I start by finding subdomains and subdomains of subdomains. To do this, I use a tool called assetfinder for enumeration. However, since many bug hunters use this same tool, I also perform subdomain brute forcing to get unique additional results. For this, I use a tool called subsleuth which is designed for subdomain brute forcing and subdomains of subdomain discovery.
2. Step two: Once I have a list of subdomains, I check for active and live domains. To do this, I use the httpx tool.
3. Step three: While the automation tool is running, I also conduct manual attacks. To facilitate this, I load all the recon data into Burp using a tool called burpflow. This creates a proxy and loads the data into Burp in just a few seconds, allowing me to easily conduct manual attacks.

To uncover this vulnerability, I developed a tool using NodeJS and tested it on LinkedIn. The tool quickly identified the reflected XSS vulnerability, which could potentially allow attackers to steal sensitive user information or execute unauthorized actions on the website.

After verifying the vulnerability, I decided to publish the tool as open source so that other cybersecurity enthusiasts could use it to identify similar vulnerabilities in other websites and applications.

Tool Info

Github Link : https://github.com/karthi-the-hacker/CVE-2021-31589

Bug Report

PoC Video and Technical Info

https://karthithehacker.com/blogs/linkedin-xss.html

conclusion

In conclusion, the CVE-2021–31589 tool proved to be effective in identifying the reflected XSS vulnerability on LinkedIn, highlighting the importance of regular vulnerability testing and the need for developers to be aware of potential vulnerabilities in their applications. By sharing this tool as open source, I hope to contribute to the larger cybersecurity community and help secure online platforms for everyone.

Previous Write-up :

https://medium.com/bugbountywriteup/from-payload-to-300-bounty-a-story-of-crlf-injection-and-responsible-disclosure-on-hackerone-eeff74aff422

Connect with me:

Twitter: https://twitter.com/karthithehacker

Instagram: https://www.instagram.com/karthithehacker/

LinkedIn: https://www.linkedin.com/in/karthikeyan--v/

Website: https://www.karthithehacker.com/

Github : https://github.com/karthi-the-hacker/

npmjs: https://www.npmjs.com/~karthithehacker

Youtube: https://www.youtube.com/karthithehacker

Thank you

Karthikeyan.V