FurHire - XSS, WAF-Bypass

This challenge came with the hints XSS, Account Takeover and WAF-bypass. So a lot to go through.

As usual, I made sure I understood what the application was build to do. After clicking around for a bit, getting blocked by the WAF for trying to drop obvious payloads in the profiles, job postings, applying to jobs, etc. I knew my first task would be to try and figure out how to bypass the WAF before going any further.

After doing some research, I found this https://github.com/assetnote/nowafpls. This basically tells me that some WAFs only check the first N amount of bytes on something. So when I tried posting something with a lot of garbage in front of it, the request actually made it through.

Unfortunately, this didn't pop a box, but I knew how to bypass the WAF. Success #1.

So now I needed to find a way to pop a box. I noticed when testing, when my JobSeeker account applied on a job and got accepted, a small toast message would appear. When I looked at the HTML of that toast message, I saw that it was created inside a <span>, so that could possibly lead to an XSS.

So I tracked down the request that started this behavior and ended up on the endpoint PUT /api/applications/:id/status So I put my payload there.

And it got executed! Success #2!

So now we had to find something that would make our payload work on the victim Jeremy. Because the cookies were set to httpOnly , it would be not possible to steal them with XSS.

When clicking around, I found in the profile a possibility to update your password. This was done with a simple call to PUT /api/profile/password, no (CSRF)tokens, no restrictions, just a PUT request. So maybe JavaScript could make this call for me...

<img src=x onerror=
"fetch('/api/profile/password',
    {method:'PUT',headers:
        {'Content-Type':'application/json'},
        body:JSON.stringify({newPassword:'password'})})"
>\

To get this payload to work inside a JSON object, I had to escape the " with \" and then accept an application from Jeremy, intercept the traffic, and inject that payload.

By doing this, normally Jeremy's password would update to password.

I tried logging in under the name Jeremy with password

And there it was, the big beautiful flag 🇧🇪

PreviousWeekly labs NextGalaxy Dash - prototype pollution

Last updated 3 months ago