Multiple XSS on Intel

XSS that was too simple to find!!!

 

Hi all , Hope so everyone is having benefit from blog posts.
This time let's take a tour on XSS , it's a simple attack as it's basically a client side attack(talking about Reflected XSS). All you need to do is that you need to inject some HTML tags / scripts and check if that is being filtered / sanitized , if not than you can easily find XSS.

To let you know deep about XSS , i would say that whenever you inject(sexy word every hacker uses to describe the critical implicationπŸ˜‚πŸ˜‚πŸ˜‚πŸ˜‚πŸ˜‚)   HTML tags do check them in the source code to see if something is getting filtered or not , if it's getting filtered you can use double encoding or some suitable method to bypass the WAF and again you need to check which type of WAF is being used to trick out some methods to bypass it.

So what i did was i went to google and used google dorks(the best self made tool to be used to find everything , no tool  that have been made is as good as google dorks[do remember that]). So what i did is went to google and typed in "site:*.intel.com" and searched it and i found many results with proper sub-domains and out of which i went on testing each one of them and i found that most of them were secured and have proper mitigation for XSS Bug but than i saw a subdomain named cloudbuilder.intel.com and i was like...
  
So i went ahead and as usual we first try our payloads in search bar to see if it's vulnerable to XSS and i found that search bar was not executing my scripts so i look into the source code page to see if some WAF is there? and found that it was filtering some of the scripts and special chars. So i thought it won't be possible to have a XSS here.....Damn!!!


The best thing in these moments of disgrace you can do is not to loose the only hope of finding the bug. So while i was scrolling up and down the page to see if any links have some parameters that i can inject some scripts to check for XSS(i am definitely not going to test any other bugs as they only provide a certificate πŸ˜‰πŸ˜‰πŸ˜‰πŸ˜‰). So while loosing hope for getting XSS , i saw there is a button called Advance search so i thought let's check out as i have already tried every link in the page , so let's take a chance if it's vulnerable and i finally found that YES!! indeed...
So i found that XSS is properly working , that means obviously all HTML tags will also work and i tested different tags to check if it's working or not and i found that everything is perfect and fine and i am ready to write the report but than something stuck into my mind saying......
If there is any more same type domain having "builder" word in intel sub-domains and if they might also be vulnerable to this XSS than? i went ahead and again searched for same type sub-domains using google dorks and found another two domains same like this and both were vulnerable to XSS. I was like ....

Here's the Video POC:


Finally, I prepared a report with multiple XSS in Intel Sub-domains. They acknowledged my report and prepared a fix and provided me with a certificate of appreciation:

Thanks all for reading :) Keep Hunting , Keep Growing , Keep Learning!!!



 

Comments

Post a Comment

Popular Posts