Welcome to my playground which is a live web application containing recreated real life web vulnerabilities. Practise your hacking on this web application and see if you can use your curious mindset to discover all vulnerabilities. Some might be easy to find, some may require a keen eye.
This web application is a demo of what you can expect from BOUNTYHUNTER which contains a larger web application with more bugs. Please note triaging of issues on this free challenge is not available and this is only available for the members area.
Good luck and happy hacking!
Rules
No automated scanners to be used at all. Where's the fun in letting a tool do all the work? Hack on the scope manually or risk being restricted from the service.
You do not need to brute force anything.
You do not need to scan for directories or files
Hack on this manually and have fun.
Subdomains are NOT in scope and you are only allowed to practise hacking on the scope defined below.
Revealing vulnerabilities may ruin the experience for you if you have not spent time testing on the defined scope as it may reveal bugs you were working on.
Please make sure to verify you wish to reveal vulnerabilities on my playground before continuing.
I understand and I wish to continue
1. Reflective XSS
There is a reflective XSS vulnerability on the following endpoint:
which is executed when the user clicks "Login" and then when they click "Return to previous website". The FROM parameter can be found from reading custom-script.js which reveals const redirectUrl = urlParams.get('from').
2. Open URL Redirect
There is an Open URL redirect on the following endpoint:
This can be found when navigating to menu.php and browsing the HTML code, which shows <a href="#" id="returnUrl" style="display:none;">Go back >></a>. The use of returnUrl as an ID should be enough for an attacker to try this parameter.
3. Reflective XSS with bypass
There is an XSS vulnerability on the endpoint:
http://bugbountytraining.com/FFHv2/index.php
located in the parameter act. When sending an invalid value it will be reflected in the HTML source, however there is an XSS filter in place. To bypass it the researcher needs to establish that as long as they don't end their HTML tag, it will work, as well as using new on{} event handlers which aren't filtered.
Examples of bypasses: ?act=logina--><img src=x onpointerrawupdate=prompt`0` id="" ?act=logina--><script src=//yoursite.com?c=
4. Obtaining valid credentials to login
When browsing the menu on FastFoodHackings located at http://bugbountytraining.com/FFHv2/menu.php, a request is made to /api/loader.php?f=/reviews.php. The fact an URL is using a file (seen with the extension .php) should alert the researcher that something interesting is happening here.
From further analysis of the web application, researchers will find ?f=/generate-credentials inside the script.min.js file. Now upon visiting /api/loader.php?f=/generate-credentials, valid credentials will be created.
5. IDOR which reveals every users information
After logging in you will notice a request is made to
and at first glance, the ?id= parameter appears to be a GUID value, which can't typically be brute forced. However curious minds will soon learn that you can simply use an integer value (such as 1, 2) and it will happily accept these values, thus revealing other users information!
