Yooo. Welcome to Issue #18 of Navigating Security.

🍃Quote of the week:

What To Expect 🫡

• How & Why You Should Escalate Your XSS 🐞

• Actionable Research For Your Resume 📝

This Week’s YouTube Video:

⚠️ The newsletter is currently not sponsored

Always Escalate XSS 🐞

Recently worked on a web pentest that had multiple tiers of users—the best type of application. Obviously, by the heading above, you know I found XSS—stored XSS, to be exact. I’m not always on the hunt for client-side vulnerabilities, but I’ll throw in a couple of payloads here and there to see if there’s any sort of reflection. This time around, there were multiple instances of stored XSS, and I found myself smiling from ear to ear.

I won’t go into the intricacies of how to exploit XSS, but in an application with multiple tiers of users, if a low-level user (or any user, in fact) can store an XSS payload that gets executed by other users interacting with the application—you can take over accounts.

This can happen in two ways: either set up your payload to make application level requests on behalf of the user or exfiltrate their cookie if attributes like HttpOnly and Secure are not set. HttpOnly is the main one—cookies can still be exfiltrated over TLS even if Secure is set.

If you’re doing bug bounty, some of these small items, such as HttpOnly being set to false, might not seem impactful on their own. However, if you take note of them and apply them to the broader context of the application, you can escalate a medium-severity stored XSS to a high/critical account takeover.

During this test, I was able to do both—make application-level requests on behalf of other users and exfiltrate user cookies to my testing server.

NOTE: Make sure you control the infrastructure you exfiltrate the cookies to. Do not use websites such as webhook[dot]site.Spin up a Python flask server, generate a self signed certificate using OpenSSL, and listen for connections.

Let me know if you’d like me to do a bit more of a technical followup with my exact process and payloads - wasn’t sure if that would be interesting or not.

Actionable Research For Your Resume 📝

As for actionable research, since I was able to make application-level requests, I wanted to see if I could make internal requests. This was a bit of a stretch because I had no clue what the backend of the application looked like, but I still wanted to see how far I could get.

I tried various payloads, context switching, and all that stuff to see if I could reach anything internally—but to no avail. I probably missed something, so I just noted it down as: XSS to SSRF?

I’ve seen some articles about it, but nothing seemed concrete. There are obviously instances where it’s an easy bug chain, but what about the more intricate scenarios? Here’s my advice to you: instead of spending your hard-earned money on a certification that will take you six months to study for, take a month to dive deep into this topic and build case studies that show a repeatable methodology. Even if it doesn’t end up being repeatable, research that touches on edge cases is still valuable.

This will get you more attention than a cert probably will. If you don’t do it, someone else will. I know I’ll be circling back to it at some point.

I have got a lot more potentially valuable research topics I have noted down. Let me know if you would want me to do a video about these.

⏱️Incase you missed the previous issue, here you go:

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.