A Cybersecurity Researcher Stole User Information Through A XSS Attack Using Parameter Pollution

A cybersecurity researcher named Hamza Avvan, while scrolling on Twitter finds a motivational tweet that inspired him to do some bug bounty. He quickly logs into his bugcrowd account, searched for a comfortable subject within the capacity of his skills, and chose a target (on which he had already discovered bugs earlier).

He starts by reviewing the source code and javascript files and after a small research, he discovered endpoints that looked vulnerable to Open redirection with an XSS attack. This attack seemed possible because the developers permitted the application to redirect the user after doing certain activities.

Initially, he attempted to achieve an open redirection but the server denied the request by displaying a 404 error page as it may have detected another domain in the continue_url parameter. He was knowledgeable about the Java environment served by the server and the parameter pollution, which led him to attempt with the same parameter twice in a single URL. And to his utter surprise, the server only validated his first parameter, ignored the second parameter, leading the researcher to be redirected to the URL in the second parameter without any restrictions.

The researcher believes that it was possible because maybe the developers didn’t consider this scenario while writing the code or maybe they were unaware of Java’s reaction to multiple parameters with the same name. So, this error can help anyone replace the parameter values with duplicate ones.

He then decides to further try the XSS and replaces the value with javascript payload and was disappointed as the server displayed 400 bad request. After a few attempts, he relied on the conclusion that the server still has a security service left that is scanning for the “javascript” keyword and returns 400 bad request on detecting it. Upon more attempts, the researcher was quite confident that the server is using regex to scan and block the parameters with javascript as the keyword.

But fortunately, he knew a trick to bypass this blocking event by putting a urlencoded tab character in the payload that will trick the server to bypass this validation and the javascript as well ignores this character and proceeds to perform its function. In the meantime, when he was making the POC, he thought to increase the intensity by stealing the user information of currently logged-in users and wrote a simple script to do so.

After all the steps, he successfully broke in and gained user details, constructed a POC and sent it to the regarding authority, and was awarded an amount of $1250 after his status was turned to triaged. This was his first bug bounty of 2021.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.