Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read

Author:

June 29, 2017June 29, 2017 bbuerhaus lfr, phantomjs, ssrf, xss

I recently came across across a request on a bounty program that took user input and generated an image for you to download. After a little bit of a journey, I was able to escalate from XSS inside of an image all the way to arbitrary local-file read on the server. It's a private program, so I'm going to do my best to redact as much information as possible.

Continue reading →

Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities

Author:

Brett Buerhaus

March 8, 2017March 16, 2020 bbuerhaus airbnb, auditor, csp, hackerone, json, waf, web, xss

Authors:

We recently started participating in Airbnb's bounty program on HackerOne. We heard a lot about this company in the past but had never used their service before. Overall they have a pretty solid website, but we were still able to discover a handful of issues. There is one vulnerability that we wanted to write about because of the level of protection in front of it. The goal of this write-up is to show others that sometimes it takes a little bit of creativity to discover potential flaws and fully exploit them.

The vulnerability we discovered is a series of Cross-Site Scripting attacks that involved bypassing JSON encoding, an XSS filter, a pretty decent WAF, CSP rules, and eventually getting it to bypass Chrome's XSS auditor.

Continue reading →

Yahoo Login Protection Seal – Stored CSS Injection

Author:

Brett Buerhaus

April 18, 2016September 8, 2016 bbuerhaus bug bounty, css, xss, yahoo

In 2014 I discovered a vulnerability on Yahoo's Login Protection seal that allowed for CSS injection. This information was saved to the browser and IP, persisting across login sessions on that computer. The protection seal feature has since been removed from the login page, but the feature still exists in your account preferences.

Continue reading →

admin.google.com Reflected Cross-Site Scripting (XSS)

Author:

Brett Buerhaus

January 21, 2015February 12, 2015 bbuerhaus admin, bug bounty, cross-site scripting, google, research, security, xss

After learning about Google's bug bounty program, I decided to look for vulnerabilities on their most sensitive services. Finding a vulnerability on admin.google.com was challenging; I managed to find a simple, but interesting form of Cross-Site Scripting.

Continue reading →

Facebook – Stored Cross-Site Scripting (XSS) – Badges

Author:

Brett Buerhaus

June 16, 2014February 12, 2015 bbuerhaus cross-site scripting, facebook, security, whitehat, xss

The Facebook badges page was vulnerable to stored Cross-Site Scripting (XSS). This was initially reported back in August 2013, but due to communication problems over e-mail it wasn't fixed until early January. Neither party is to blame, but this shows some of the difficulties that companies can face communicating with security researchers.

Continue reading →