In the labyrinthine world of cybersecurity, bug hunting stands as a testament to perseverance and ingenuity. Finding bugs nowadays is like finding a needle in a haystack, But I was lucky enough to get that needle. Join me as I recount my exploits within Zendesk, unearthing vulnerabilities that led to triumph over elusive bugs.
Well, the story begins just like every bug hunter’s daily routine. Just a normal day in search for any bug that I could get my hands on. But no luck. they usual thought came in “Time to jump to the next program” and I jumped and landed straight on a program called ZENDESK.
Discovering Zendesk
The bug hunter’s daily routine involves scouring various websites and services for vulnerabilities. Zendesk, a prominent support desk provider, catches our attention as a potential target for exploration. Like many other platforms, Zendesk holds the promise of uncovering security weaknesses that could be exploited.
Understanding Zendesk
Now I had to find what does this website do. It took me about 20 minutes to understand that it was actually a Support desk providing site for other websites.
Ok Now to Initialise the hunt..
Temp mail..Account Create. Bla Bla, And Logged on to my account.
Hmmm…. What next!!
Of course, time to test for xss
Basically, all I did was just inserting payloads on all the input fields I could get my hands on.
This is when I came across a rich text editor, but it did not have any much function just like normal text editors.
In it I found a URL input field and what’s funny about this field is that it does not actually detect if the given input is a URL. So, I put my favorite XSS payload “Love Img XSS Payload” in the URL input field and click ok.
But Nothing….
But…Apart from the URL input field there was an ALTERNATIVE TEXT for the URL. So, I tested my luck on that…gave a random URL and dropped the XSS payload on the ALTERNATIVE TEXT and clicked on ok.
I Clicked on that Link and BOOM!!
Got XSSed….
Report Timeline
- Jul 23rd – Report Submitted
- Jul 24th – Report Triaged
- Aug 23rd – Bounty Time$$$
- Sep 12th – Resolved and Got listed on their HOF
And That’s How an Alternative Text Executed an XSS…As it Goes.
The Rise of the Web Application Firewall (WAF)
So, let’s get back to business. As I was investing the XSS issue on the platform I noticed that the XSS Popup was triggered TWO times on the homepage. So, I searched for the endpoint where the XSS payload got executed.
But no luck, So I removed my payload from the first vulnerable endpoint that is the Alternate URL Text and checked the homepage. To my Suprise the XSS pop triggered as usual but this time its pop’s up only ONCE.
So, I looked up the macro if I had entered the payload anywhere else and of course, I had entered a payload on the macro description field. So, I found another vulnerable endpoint. Time for POC.
For POC purposes I created a fresh macro and entered the payload on the macro description field and click on save…A Web Application Firewall (WAF) came smiling upon me Saying “YOU HAVE BEEN BLOCKED”.
WAF BYPASS TIME!!!!!!!!!!!!!!!
After learning about the working of the WAF I found out a “Not so Complicated” Method to bypass it.
Don’t Enter the payload in beginning itself while creating the macro. Instead, while creating the macro just enter random things in the description and after creating the macro edit the description and enter the payload. Shorter version: WAF only scans the content that is entered the first time and does not care what you enter afterwards
After this BYE BYE WAF. The payload got saved successfully and also got triggered on the homepage.
Report Timeline:
- Aug 10th – Report Submitted
- Aug 11th – Closed as duplicate of my first report
- Aug 17th – Report reopened after providing info that the two xss issues are different
- Aug 23rd – Bounty Time $$$
- Aug 26th – Resolved and Got listed on their HOF
Conclusion
Check the number of XSS triggers (Number of XSS triggers = Number of Vulnerable endpoints)
Try to Bypass the WAF by not only changing the payload.
The payload that I used is <img src=x onerror=alert(document.cookie)>
MAY THE BUGS BE WITH YOU,
