This is part 9 of P4 bug’s if you haven’t check previous part then check it out. Part 1 , Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8
Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lot’s of bugs but in today’s article we are going to discuss about low hanging fruits or P4 vuln’s as they are very easy to find and also present in almost every website. So let’s start with our first vulnerability.
1. HTML Email Injection
This is a common type of bug available in lot’s of websites, i discovered this bug in lot’s of programs even some of these are hosted on platforms like hackerone, bugcrowd etc.
When you signup in a website then it send a verification link on email address and in that email there is something like Hi <Yourname> , so to find HTML email injection you have to put HTML payload in First name and Last name while signing up in a website as only this data reflects in the email sent by the website.
So you have to put payload like this given below. (Make your own image payload), and this payload will fire up in your email and if website doesn’t allows you to put HTML content in first and last name then try to bypass it using burpsuite if there is client side validation is placed in website.
Payload- <img src="https://t.ly/DXvtn">Now let’s make POC 🙂
Description:- HTML injection is a vulnerability in which attacker provided input is rendered as HTML. HTML injection in emails can lead to attackers phishing users from a legitimate email address.
Steps to reproduce:-
- Go to the URL https://site.com
- Create an account with HTML payload in first name and last name.
- Generate a reset password/verification email
- The image will be executed in the verification/reset password email sent by the website.
Impact:- This vulnerability can lead to the reformatting/editing of emails from an official email address, which can be used in targeted phishing attacks. This could lead to users being tricked into giving logins away to malicious attackers.
2. Origin IP disclosure leads to WAF Bypass
This is an interesting and impactful bug. If the application is using some type of web application firewall only in that case this bug is applicable otherwise this is out of scope.
Sometimes companies use WAF but they misconfigured it or due to some other reasons the origin IP of the website is disclosed, so in order to find out the origin IP you have to remember three steps –
- Check the application is using some short of WAF, check it via some tools like wappalyzer, wafWOOF, DNSlytics, etc.
- Try to find origin IP on Shodan, Censys etc. or use tools available on Github.
- When you found out the IP address then open the IP in browser and the content hosted on the IP should match to the content hosted on the domain like the page of IP and domain must match, the second criteria is that – do an IP lookup via https://whatismyipaddress.com/ip-lookup and the hostname of IP must match to domain name.
After all these steps you are good to go…
So, let’s see the POC 🙂
Description:- By using these IP address as a resolver instead of the intended addresses I’m able to access the service without going through the WAF, thus I’m able to forward unfiltered payloads to the service, as well as avoiding the common protections offered by Cloudflare, also being able to perform crippling denial-of-service towards the origin.
Steps to reproduce:-
- Enumerate the subdomains of https://target.com
- Check the firewall used by the tool DNSlytics or WafW00f
- To get origin IP – Use sites like : https://search.censys.io/ , https://www.shodan.io/
- Do a IP lookup of the IP
- Enter the IP on the URL and hit enter to check if the IP loads the subdomain name
Impact:- Cloudflare bypasses can have a significant impact, as any adversary is now able to communicate with the origin server directly, enabling them to perform unfiltered attacks (such as denial-of-service), and data retrieval
That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned … 🙂
Buy Me a Coffee : https://buymeacoffee.com/socalledhacker
Follow Me On :