Hello everyone. Shlok (pphreak_100) this side. This is my first published writeup and hence any suggestions will be highly appreciated.

This article describes a Cross Site Scripting vulnerability I discovered while participating in a private Bugcrowd bug bounty programme. The domain used user input and swap out each character with a different one before displaying the result on screen. The swap algorithm was decipherable for me, and I received a successful prompt.

During the recon phase, I took advantage of the program’s wildcard scope, allowing me to explore various subdomains. To kick things off, I employed the powerful tool called subfinder, which successfully enumerated an impressive 3428 subdomains for me. Here’s the command I used:

subfinder -all -dL scope.txt -o subs.txt

With the list of subdomains in hand, my next step was to identify the live ones using httpx and save the results as an output. I executed the following command:

cat subs.txt | httpx -o live.txt

To streamline the process further, I eliminated any out-of-scope domains from the live subdomains list using the following command:

grep -Fvf outofscope.txt live.txt >> finallive.txt

Now it was time to focus on PHP-based domains as i always prefer them before. By executing the following command, I filtered the live subdomains list to identify PHP-based domains:

cat finallive.txt | httpx -status-code -tech-detect -title | grep PHP

This search revealed one intriguing domain, which we’ll refer to as redacted.target.com.

With the domain in hand, the next logical step was to perform fuzzing on the target. I utilized Ffuf and a wordlist (raft-large-words.txt) to fuzz the target URL, exploring various extensions such as .php, .js, .json, .txt, .sql, .tar.gz, .bkp, .html, .htm, and .zip. The command used was as follows:

ffuf -w Seclists/Discovery/Web-Content/raft-large-words.txt -u https://redacted.target.com/FUZZ -e .php,.php.bak,.js,.json,.txt,.sql,.tar.gz,.bkp,.html,.htm,.zip -mc 200,301 -ac

Through this fuzzing process, I stumbled upon a particularly interesting file named password.php, which immediately caught my attention.

Without wasting any time, I proceeded to manually visit the URL associated with the discovered file.

Looks like a Simple Page. Right? . No its not!!

Excitedly, I delved into the page source, eagerly searching for clues and hidden gems.

And there it was, a meta tag with three intriguing input parameters: token, uid, and email. My curiosity piqued, I wasted no time and turned to my trusty ally, Arjun, for parameter discovery. Armed with the command below, I set out on my exploration:

arjun -u https://redacted.target.com

Output:

Crafting a URL with anticipation, I constructed the following:

https://redacted.target.com/password.php?e=">abcdefghijkl

Balancing the payload with precision, I couldn’t wait to see the magic unfold. However, to my surprise, instead of finding “abcdefghijkl” outside the meta tag, I was met with a flurry of seemingly random and jumbled word.

Not one to be discouraged, I embarked on a quest to create a payload using a single letter. I started with ?e=”>a” and progressively moved through the alphabet. After some persistence and careful observation, I finally struck gold.

Each alphabet was swapped and the algorithm was as below.

a=n, b=o, c=p, d=q, e=r, f=s, g=t, h=u, i=v, j=w, k=x, l=y, m=z, n=a, o=b, p=c, q=d, r=e, s=f, t=g, u=h, v=i, w=j, x=k, y=l ,z=m .

Now it was time to create the final payload:

https://redacted.target.com/password.php?e=”><fpevcg>cebzcg(1)</fpevcg>

And here was the moment of triumph :)

Thank you!!

Reported: 17 May 2023

Triaged: 19 May 2023

Rewarded: $$$ on 22 May 2023

Resolved: 23 May 2023