Can you access our private tool, XSS Destroyer?

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Begin challenge

Medium Misc / Application Logic

As the title says, are you able to access our private tool, XSS destroyer? It's currently in BETA mode and we aren't accepting new users but if you have access to it, let us know what you think!

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

Browse the source code of https://www.bugbountytraining.com/challenges/challenge-14.php and you will see a reference to <script src="xss-tool/report.php">

Visiting /xss-tool/report.php will show you the following error:

{
    "status":500,
    "error":"Internal Server Error",
    "message":"An error occured while trying to call the rest service. \n Url: /report.php \n Server: XSSDestroyer \n Auth-Token:  343ce5c8-66c0-4fb7-862a-42127f86b50d \n Cookie:s=eyJ0aW1lRXhwaXJlIjoiMDEvMTIvMjAyMCJ9",
    "path":"/xss-tool/report.php"
}

If you try the header Auth-Token: on report.php then it will respond back with two XSS discovered on example websites, congratulations, this is the first part!

We still need to access the tool itself, but where is it? If you visit /xss-tool/robots.txt then you can see:

Disallow: /xss-tool/destroyXSS.php
Disallow: /xss-tool/report.php

Visiting destroyXSS.php with the cookie Cookie:s=eyJ0aW1lRXhwaXJlIjowMS8xMi8yMDIwIn0= gives us an error that it has expired.

Decode eyJ0aW1lRXhwaXJlIjoiMDEvMTIvMjAyMCJ9 and you get {"timeExpire":"01/12/2020"}. So with that in mind, if you now create a new base64 encoding for todays date, then revisit destroyXSS.php and there you have it, you're in!

BugBountyHunter

Important information