Hi everyone, It’s Yasser again (AKA Neroli)
I told you that me and my brother (who is 16 years old) was doing some bugbounty and we found those cool bugs.

as always I picked a target which was interesting since it has a lot of functionalities and so easy to use, I don’t do a lot of recon so we just started to target the main domain,

my brother started to do random actions to understand how everything is working,
after some clicks now it’s time for some crazy things XD,

we started to do some directory brute forcing to get some endpoints,
while doing that my brother started to send random payloads for Path traversal, I also wrote small script to take screen shoot for every url,
but we didn’t got anything

until my brother started to check burp responses,

at this point my brother tried this url:

https://Target/material/profile/endpoint/{numerical_id}

so he started to append path traversal payloads to the id:

we know that we need to back 4 times to get into the main directory, so he tried this:

https://Target/material/profile/endpoint/{numerical_id}/../../../../

normally this request will lead us to the main domain: https://target
which happens when we load this url in brower, but in burp we got another response!

clicking show response in browser we got this

my hypothesis is that the website is dealing with internal api that is vulnerable to Directory Listing and when the browser is sending the request so the flow as following

that’s why we got the different results when we used burp.

From here i started to dig more into this issue, browsing each of the discovered endpoints I found an internal endpoint which is responsible for formal emails templates

picking a template

inserting a simple xss payload and press preview I got and alert :)

hmmm, but as you can see it’s a self xss so we cannot do much about it.

I intercepted the request which is responsible for the xss and created a simple csrf poc to simulate the request and as soon as we open the page the xss is being executed

as you can see the there is a Send a test Email which seems sends a test email to the company email from also company email so it’s so possible that the employees open it as a normal email:
i found that i none template i can insert a url so i inserted the RXSS url so as soon as the admin opens the email and click the button he will be redirected to the RXSS link and we got his cookies :)

Note that there is many templates so it’s not only reset password email we can send.

the bugs firstly got N/A as usual XD,
then after small argument I showed the impact and got triaged and we got $700 :)

i would like to thank my friend Abdulrhman Adel for his assistant when I asked him about the path traversal issue, sadly we couldn’t raise the impact but he explained it to me the reason why the path traversal happened.

I hope you enjoy this write-up and wait for my Tips for new Bugbounty Hunters post.