Hi again! So here is one more writeup on a simple yet tricky open redirect bug I found on a private application.

I have once submitted an open redirect vulnerability for this specific target (let’s call it site.com) a few months back and confirmed that the bug has already been fixed — that’s what I thought, at least.

My target site.com is using a 3rd-party Live Chat application (livechat.com) and used as a widget on their application. The site.com is redirecting its users to their Live Chat Channel whenever the chat icon is clicked, and the endpoint /redir?url=


Hi InfoSec and non-InfoSec Community! This is John Fiel Brosas, a Security Analyst from the Philippines. It’s been a while since I wrote something here in Medium. Anyway, I hope you are all doing well in these trying times. :)

This writeup is about how I found an interesting way or payload of XSS (Cross-site scripting) that bypasses WAF Cloudflare protection.

I’ve been testing let’s say redacted.com (for privacy) and was looking for any XSS vulnerabilities on the URIs, inputs, file uploads, etc.

I usually start with basic XSS payloads

<script>alert(1)</script>

then tried

“><img src=x onerror=alert(1)>

<svg/onload=prompt`1` >

<svg onload=prompt%26%23x000000028;document.domain)>


I was running a test on a specific website and I stumbled upon an xmlrpc.php file.

The XMLRPC is a system that allows remote updates to WordPress from other applications. For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of xmlrpc.php. In essence, xmlrpc.php could open the site to various attacks and other issues.

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:

  • Publish a post

Granting public “WRITE” access to your AWS S3 buckets can allow anonymous users to upload, modify and delete S3 objects without permission. Every AWS DevOps should know about this and the risks, at least.

In one private program at Bugcrowd, I came across a page where user can be able to upload files. I was not surprised that the uploaded files were saved on AWS S3 bucket (it’s the most commonly used storage nowadays).

The first thing came into my mind is if how is the permission set on their AWS S3 bucket.

On my first try, I was surprised…

Johnfiel

Security, Technology, and everything in between.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store