Escalating Low Severity Bugs To High Severity

[Nytro]

Escalating Low Severity Bugs To High Severity

 

This time I am gonna share about some ways that I have learned & applied while participating in bounty programs and was able to escalate Low severity issues to higher severity. Let's Go To the Technical details straight:

Note:
You might also be able to use Window Object instead of Iframe in the following Cases I mention but it's better to use "Iframe" instead of "Window" to be stealthier and have least User-Interaction though it requires Clickjacking to be present too.

Case #1. Self Stored-XSS and Login-Logout CSRF:

Pre-Requisites:
1.) Victim must be loggedIn on the Application
2.) Some kind of sensitive information of the currently authenticated user should be present on some page(via Web API etc.)

ATTACKER Having Self-Stored XSS in Profile Description:

Attack Summary:-
1. Victim Visits Attacker's Page
2. Create 2 Iframes
   Frame #1(VICTIM) pointing to the sensitive info page (eg. CreditCards, API Keys, Secrets, password hashes, messages etc. which is only visible to the authenticated user)

   Frame #2(ATTACKER) pointing to Self-Stored XSS page



3. Perform the following on the Attacker Page:
Once the Frame #1 is loaded completely
     a) Logout from Victim's account
     b) Login to Attacker's/your Account using the login CSRF

In the Frame #2
     c) Execute the Self-Stored XSS in your(attacker's) and Access the Frame #1 using top.frames[0].document.body.outerHTML since the Same Origin and steal it and send that info to your server

 

 

Full article: https://www.noob.ninja/2018/07/escalating-low-severity-bugs-to-high.html