Posts

Showing posts from April, 2020

Chaining No impact(N/A) Bugs to get High impact

Image
I have gone through a `Byte Bandits 2020 CTF` conducted by Byte Bandits team.
There is a web challenge `Notes App`
Which is pretty cool, just a chaining of small bugs (which are encountered at Bug Hunting and treated as N/A or Out of scope).
Which made me to elaborate it, Write it as an Article.


Notes App A service running at `https://notes.web.byteband.it/` and given source code.
Functionality is simple that, every user have only one note(sanitised by markdown2) and Admin have it too(That is the FLAG).
Given an Admin bot which loads the admin account and then visits our URL (no domain restrictions). Observation - 1 As there is a Admin bot, visiting links. There might be a chance for SSRF etc.
So first tried for XSS. After so many trails, searches my teammate found https://github.com/trentm/python-markdown2/issues/341
Through that we got XSS, but no use. It's a SELF XSS :(
payload <http://g<!s://q?<!-<[<script>alert(1);/\\*](http://g)->a><http://g&l…