Jump to content
Sign in to follow this  
Nytro

Escalating Low Severity Bugs To High Severity

Recommended Posts

Escalating Low Severity Bugs To High Severity

 
This time I am gonna share about some ways that I have learned & applied while participating in bounty programs and was able to escalate Low severity issues to higher severity. Let's Go To the Technical details straight:

Note:
You might also be able to use Window Object instead of Iframe in the following Cases I mention but it's better to use "Iframe" instead of "Window" to be stealthier and have least User-Interaction though it requires Clickjacking to be present too.

Case #1. Self Stored-XSS and Login-Logout CSRF:

Pre-Requisites:
1.) Victim must be loggedIn on the Application
2.) Some kind of sensitive information of the currently authenticated user should be present on some page(via Web API etc.)
Screenshot_330.png
ATTACKER Having Self-Stored XSS in Profile Description:
Screenshot_329.png
Attack Summary:-
1. Victim Visits Attacker's Page
2. Create 2 Iframes
   Frame #1(VICTIM) pointing to the sensitive info page (eg. CreditCards, API Keys, Secrets, password hashes, messages etc. which is only visible to the authenticated user)

   Frame #2(ATTACKER) pointing to Self-Stored XSS page

Screenshot_331.png

3. Perform the following on the Attacker Page:
Once the Frame #1 is loaded completely
     a) Logout from Victim's account
     b) Login to Attacker's/your Account using the login CSRF

In the Frame #2
     c) Execute the Self-Stored XSS in your(attacker's) and Access the Frame #1 using top.frames[0].document.body.outerHTML since the Same Origin and steal it and send that info to your server
Screenshot_333.png



Screenshot_332.png
 

 

Full article: https://www.noob.ninja/2018/07/escalating-low-severity-bugs-to-high.html

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...