The Ultimate Guide to Chaining Bugs: How I Found a XSS in a Bug Bounty Program
Bug Bounty Hunting
Hello there, and welcome back to my blog!
In this article, I’ll share how I successfully chained an HTML injection into a XSS during a bug bounty program. Let’s dive in.
Introduction
I’m Pronay Biswas, a security researcher and bug bounty hunter from West Bengal, India. Recently, I discovered a critical vulnerability by chaining HTML injection to achieve a XSS. Here’s a step-by-step account of my journey.
Step 1: Program Selection and Subdomain Enumeration
I chose a program from Bugcrowd and started enumerating subdomains using my subdomain enumuration tool, subdomaindive. To identify live subdomains, I used the httpx tool and selected a target subdomain for further exploration. Let’s assume that the subdomain is blog.example.com.
Step 2: Initial Exploration and HTML Injection
Upon visiting the selected subdomain, I found a chatbot feature. Based on my previous experiences with XSS in chatbots, I tested the following XSS payload, but it didn’t work.
<script>alert(1)</script>
Then I tried an HTML injection payload, which worked.
<h1>Click here</h1>
Step 3: Chaining HTML Injection with XSS
The HTML Injection bug typically falls into the P4 category. As a result, its impact is minimal. I combined it with an XSS payload to try to enhance its impact.
<h1 onmouseover="alert(document.domain)">Click here</h1>Once the payload has been injected, it creates an h1 heading Click here. When hovering the cursor over Click here, an alert with the domain name was triggered.
Step 4: Reading Cookies with XSS
As a next step, I tested another payload to display the value of the cookie and able to read it successfully.
<h1 onmouseover="alert(document.cookie)">Click here</h1>
The bug promoted to P2 after the HTML injection chained with XSS.
Conclusion
Using HTML injection to XSS , I was able to increase the impact of this bug significantly, showing the potential dangers this type of attack poses.
Stay tuned for more updates and insights into my bug bounty journey. Until next time, happy hunting!!!
