Can you access our private tool, XSS Destroyer?

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Begin challenge

Medium Misc / Application Logic

As the title says, are you able to access our private tool, XSS destroyer? It's currently in BETA mode and we aren't accepting new users but if you have access to it, let us know what you think!

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

Browse the source code of https://www.bugbountytraining.com/challenges/challenge-14.php and you will see a reference to <script src="xss-tool/platform.js">

Now you've discovered a new endpoint, /xss-tool/, common thing is to try see if any robots.txt file exists. Browsing this you will see both report.php and destroyXSS.php.

Visiting /xss-tool/report.php will show you the following error:

{
    "status":500,
    "error":"Internal Server Error",
    "message":"An error occured while trying to call the rest service. \n Url: /report.php \n Server: XSSDestroyer \n Auth-Token:  343ce5c8-66c0-4fb7-862a-42127f86b50d \n Cookie:s=eyJ0aW1lRXhwaXJlIjoiMDEvMTIvMjAyMCJ9",
    "path":"/xss-tool/report.php"
}

If you try the header Auth-Token: with the correct value on report.php then it will respond back with two XSS discovered on example websites, congratulations, this is the first part!

Next visiting destroyXSS.php with the cookie Cookie:s=eyJ0aW1lRXhwaXJlIjowMS8xMi8yMDIwIn0= gives us an error that it has expired.

Decode eyJ0aW1lRXhwaXJlIjoiMDEvMTIvMjAyMCJ9 and you get {"timeExpire":"01/12/2020"}. So with that in mind, if you now create a new base64 encoding for todays date, then revisit destroyXSS.php and there you have it, you're in!

Challenge hints

Stuck? Click below to reveal hints!

Guides

Understanding Application/Business Logic vulnerabilities Scanning JS files for bugs

Learn like a pro

Practise hacking on a fully functioning website containing real bugs found on bug bounty programs. Use your hacker mindset to uncover as many vulnerabilities as possible!

Become a BOUNTY HUNTER