Thursday, April 11, 2013

How I Rewarded with USD?K Just With a Simple Search Form

Its been a while and I'm quite busy with works lately. Today I want to share with you guys on my recent successful findings on Paypal Bug Bounty Program.

Paypal's Bug Bounty Program currently limited its testing application so in order for you to find any bug quite hard nowdays. Read it here from ehackingnews

One of the Apps that still under the scope is BillSafe. Previously, I noticed that @Vigneshkumarmr found XSS and CSRF in that application however he was not the one the 1st person found it. @KrutarthShukla was the one that rewarded by Paypal for his submissions on Billsafe.

Then that day I just trying my luck to see if there's any bug that was missed by other researchers/hunters. Looking luck..until..I met this search form

Its a search form where we can see our transaction history. I tried to search some random words. Nothing unusual.

Then with the power of double quotes, BOOM! The page become blank!
Aha! Now its weird. At first I thought it might be just a normal error. So I tried to close the double quotes.
BAM!! Welcome to papa Blind SQLi!
And it will be not enough with just like that. I need to give them a working POC. Tried to use a common technique. Not working..darn!..I take a look..have a rest..take my coffee..then brain knocked on me " lets try with a simple sql query "

So I tried using something like “ or column_name like “%
How it'll working? Simple. If the column_name I guess is TRUE, the page will load normally..else it'll become blank. So does it works?

and is it done? Yes.For SQLi. As a bonus, I found that this form is vulnerable to XSS as well.

All of these bugs had been fixed by Paypal. And I already received the payment. How much? I leave it to your imagination.