Skip to content

Writeups on Free Challenges in BugBountyHunter

Views: 5

In this post, I will share some writeups on the free challenges in BugBountyHunter platform. I encourage everyone to check out the site https://www.bugbountyhunter.com/.

Cross-Site Scripting in Image Tag

https://www.bugbountyhunter.com/challenge?id=2

How does the feature works? If you select the dropdown option, the image will be rendered with special effects using CSS. In the img tag, we can see the selected option value will appear in class.

What could go wrong? The POST request looks suspicious.

Request

There is no server side validation of the imageClass value. You can send any value and it will be reflected in the response.

Response

We can try sending a few payloads to test for XSS issue. First, we can modify the imageClass value to imageClass=helloworld" onload="alert(1)". The response return a class="1" in the tag. We can try imageClass=helloworld" onclick="alert(1)". The response also return class="1" in the tag.

It seems like there is some blacklisting of some keywords such as onload or onclick etc. Hence we need to find the event handler method that is not blacklisted. Fortunately, this payload was not blocked: img2" onpointerup="alert('xss').

When we click on the image in the browser, the malicious script is executed.

Published inBug BountyWalkthroughWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *