How I got €50 from <IMG> tag . It literally bypassed everything.(UNEXPECTED BYPASS)
<img> Never Disappoints
Hello folks ,
https://docs.google.com/presentation/d/1UHiGX-xz0jc7a8JmVpOezj0W1YH7UlneMAM3p0UW-Xs/edit?usp=sharing
This is Kashif , welcome to another write up . In this blog I’ll be sharing my first $bounty . It was August 14, when I was looking for some paid programs apart from hackerone , intigriti , Bug crowd . I end up by opening openbugbounty.com I randomly tapped on a target And observe they had paid bug bounty program so I opened their main website and start looking for xss (My favorite bug). “I know Yours is RCE”
#FINDINGS#
Few days ago I found a DOM XSS bug in a openbugbounty target which executes through POST request . I’ll let you know later about POST request XSS in another write up.
Parameter: ?search=
Location: Blog search
#HUNTING PROCESS(expectations) #
With reference to the above XSS bug . With expectations that I’ll get another xss I opened the main domain and scroll down and than tap on the blog option. Than another webpage open , I without any further testing go to the blog search option and paste some xss payloads and check for reflection but firewall is filters all the special characters. ( <> , “ (){}’ ) . All are encoded well seems no chances of bug .
Alas No luck
#unexpected finding#
One person told on youtube that while testing xss first check for html injection and try to inject basic tags . (like <u> , <h1> ,etc) . While testing I just put my name in the search bar and look for the source code where it is reflects. And check whether <u> is reflected as it is or not but no luck , it is encoded .
#<IMG> tag never disappoints#
With no hope I put xss payload through IMG tag but it also encoded lol . And here we got bug . While entering I mistakenly typed only <IMG SRC=x and I got a broken image as response.
So I checked the source code and found that everything is encoded but IMG tag is reflected twice as it is .
#I THAUGHT THAT I GOT XSS BUT THIS HINDERED ME#
After above finding I simply typed “onerror=alert()> but it didn’t executes . When I check source code IMG tag also encoded. I was hindered and I was like :
#AGAIN NEW CHALLENGE #
But I tried every possible img tag payload and alas no a single one executes . It was my first finding on paid program (“in my mind I think that I have to report fast otherwise someone else will report and I will get duplicate “). So I gave up and tried to submit this report as it is by entering any value in the image tag . And got another challenge here that I can’t enter any lengthy URL here and it allows only few characters as search input.
#Solved#
I observed that every input that is given is appearing in URL so I just typed “<img src=kashif>” as input and changes the URL of image from kashif to a genuine image URL for poc .And reported …
#I GAVE UP AT THE END BUT PLEASE DON’T GIVE UP YOU WILL FIND SOMETHING BIG . “
May be I’ll Also get xss but because of the fear of duplicate I reported it as it is.
#REWARD TIME#
They make it as low severity finding and gave me 50€ via PayPal.
#BONUS #
Check every possible input like normal HTML tags and most importantly image tag . May be it will make your luck .
Hope you learn something new from it.
Don’t forget to follow I’ll be sharing xss through POST request in another write up.
