Open in app

Sign in

Write

Sign in

My First Finding Bug on a Bugcrowd BBP

Aman Bhuiyan
3 min readJun 3, 2024

--

Hi Bug Hunter,

I’m going to share my first bug discovery on a BBP program, today.

I selected a target on bugcrowd yesterday. Since the report is still in its early stages, I am unable to reveal the company’s identity to you. Assume for the moment that the platform is icecream.com.

I began the recon phase and used subfinder and amass to gather the domains’ subdomains. then got to work gathering the endpoints from the operational websites. Because the company uses too many wildcards and subdomains, it took too long……………………………!

I started the automated script on my backup monitor and started intercepting the main corporate website using burp. When I tried to register a new account, the page just took me to another one without telling me if my account had been opened or not. Despite my repeated attempts, no account was created. I looked for a help desk and anything else because I was tired. Then, on burpsuite, I discovered an intriguing endpoint! Upon visiting the endpoint, I discovered that it was a chatbot program.

My Reaction was like that!

The agent initially asked for my five-digit zip code. After entering a randomized code, the chatbot agent granted me access to an inbox. And that was my goldmine, which i wanted!

I injected basic HTML payload:

<h1>Hi</h1>

Hola….!

The chatbox relfect this:

After that, I looked up how to turn this HTML code injection into a serious vulnerability on Google Docking. I questioned seniors and my pals on social media as well. After that, I realized that I could use this to commit CSRF or XSS cookie theft. However, the out of scope portion made a significant reference of the CSRF. I therefore attempted to steal cookies using HTML and XSS reflection. I made a few payloads.

<button onclick="alert(document.cookie)">XSS</button>

At last, the payload included the page that the agent cookie had headed up!!!!!!

When a payload is sent, that is how the chat box responds. After that, I hit the “XSS” button. At last, the pop-up had appeared.………………….

In the next morning, i submitted the report with poc and waiting for the resonposes.

Hope so, the report will not find duplicated !!!

Edit: 01/08/2024

Finally It Triggered.

#HappyHacking

Bug Bounty
Hacking
Xss Vulnerability
Injection

--

--

Aman Bhuiyan

Written by Aman Bhuiyan

151 Followers

I hold a beast, an angel and a madman within me.” — Dylan Thomas

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams