HTML Injection Vulnerability to XSS

Hello Mates,

This is my first bug bounty writeup on finding an HTML Injection Vulnerability and escalating it to XSS.

It started as my friend found a potential 2FA bypass in the application but somehow was not able to escalate it. So he and I started working on finding a valid eploit for it. But later realized that it was actually not a bypass but just a misconfigured 2FA(That’s story for some other day).

Now , I started hunting on the target in bugcrowd, which is actually a very old target and I started with the main landing page, which obviously was very noob move as the target was so old and heavily tested, it had less chances to find vulnerability in it. Yet after I and my friend was done with the 2FA thing I started throwing around normal HTML tags in all the input fields.

I put an HTML tag (<h1>test</h1>) in the search box, it was getting reflected but it was reflected in the encoded format. I tried some techniques to bypass the encoding, but was not successful. I started testing on other input fields. But then I saw when I click on the search box although the input on the page was encoded but on the recent searches tab it was getting executed. I immediately put the payload (<svg onload=alert(1)></svg>) and to my disappointment it didn’t dispayed the alert box. The application was using some WAF that didn’t allowed JS to work, neither attributes nor script tags were working. In order to bypass it, I tried <img> tag and loaded a vulnerable image and it got my payload executed.

I was so happy and immediately reported it and waited for the result. The severity was updated to P3 but sadly it also was marked duplicate(“The major con of testing an old program.”). But yet I was happy on the finding and technique I tried to bypass the filtering.

I am Niraj Modi. I hunt by the name “Jordin” . I started bug bounty as a hobby last year. Though I have not recieved any monetary reward as of now but I am still trying , so any tips about writeup or bug bounty tips are always welcomed. I am planning on constantly posting about my findings. Please give a clap if you found the post informative. Follow me here to get regular updates.

This is my twitter handle Jordin.

Please message me if you have any suggestions/query .

See you later.

#CodeToLive ;-)