Stored XSS & Privilege Escalation in Profile Field -Private Program
Hello everyone, I’m here to share my recent findings on stored XSS and privilege escalation in the profile field of a private program, all achieved in a short amount of time.
I monitor my targets using some free open sources. This morning, when I checked my mail, I received a mail about new domains that were added.
Quickly, I opened the mail and started hunting on the subdomain. It had limited functionalities. Initially, I started testing the profile page and observed that there is a profile upload.
I started checking file upload test cases, including EXIF data to XSS, GIF payloads, pixel flooding attacks, and I tried almost everything.
I tried changing the file extension, content type, and body to some HTML payload and checked the response, but it failed and threw me an error indicating supported file types. I also attempted null and magic byte types for bypass, but nothing worked for me.
At last, I checked my saved notes on Notion, where I recently added one test case that I found on almost every site I used to hunt.
I tried changing the file extension and added a payload to the request body, while the content type remained constant as image/png.
After manipulating the request and forwarding it, I received a successful response with the image path it was like user/profile/userhash.html
I added the path to the root URL and got a beautiful popup on the main page. Then I tried to escalate it to ATO and attempted a blind XSS payload to steal the victim’s token, but there was an HTTP-only flag on the cookie.
After analyzing the application thoroughly, I discovered a privilege escalation issue involving a UUID in the profile picture field, but the hardest part was obtaining the UUID.
I copied my user hash and checked the hash in Burp history, where I found the hash value in the forgot password response. Made a request with the victim’s email and obtained their hash. After that, I escalated the privilege.
Created a detailed PoC and submitted it via Bugcrowd, and within a short time, my report was triaged.
Support and Follow
If you found this article insightful, please leave a clap and share your feedback in the comments. Follow me for more exciting findings and cybersecurity tips!
Find me on Linkedin: @suryaarigela
Thank you for your continued support. Keep clapping, commenting, and sharing your thoughts!
