That is a short story about my first triaged bug on hackerOne when I started on 2020. At that time I was learning about Web vulnerabilities through PortSwigger's Web Security Academy and practicing on a public bug bounty program from hackerOne. I chose this program mainly because I was a consumer from this brand (a Chinese mobile manufacturer), and  I had a mobile phone from the same. The Target During the tests, I focused in a single domain in charge of storing your contacts and files in the cloud, in this way, whenever I was adding a new phone Contact in my mobile, I was able to see it in that web, and vice versa After understanding all the functionalities, I focused in the Phone Contact creation which had a Rest-Api endpoint where the web interface was calling a POST request. Apart from the api endpoint there was an option to create users using VCF files . The VCF file is an important actor in the payload stage, stay with me :D  The Issue Understanding the phone contact creati

  After a long time, this month I had the opportunity to attend in the monthly CTF provided by INTIGRITI. As part of the learning process I really recommend everybody to attend on this, it is a mind-blowing experience, you can find more information about the CTF and many other things in the Intigriti's discord community . The CTF is available through the link https://challenge-1223.intigriti.io/challenge.php Here we go!! Summary At first glance, the target is a simple HTML page containing a text box where the payloads should be sent. Also, it shows the regex that is being applied to check the text. If we pass some malicious payload it is going to catch it. Recon Also in the page, the challenge is providing to us the source code running on the server side, let's go through it. Summarizing the source code, it is using php Smarty template engine to render the pages. More below, we can see two IF clauses; The first will redirect you case the text posted is not being submitted by t

Before everything, I should say that it was a very hard Challenge, I spent many hours but I managed to  solve it, here we go! Summary The XSS challenge  hosted by Intigirti occurs once a month, you can  follow  them on Twitter to stay tuned about upcoming challenges and other nice infosec contents, I really recommend you to try those challenges as it is a good source for learning and they are always very challenging. The challenge created by @IvarsVids was available on https://challenge-1121.intigriti.io/ challenge instructions page Context As usual, in the XSS challenge we need to find a way to execute the XSS alert(document.domain). This time the scenario was a bit different, there was a Vuejs page with php extension which receives text input from users in the challenge page. challenge page Reconnaissance The Challenge page receives a request parameter called s with the input value, and it results in the vuejs.php page being loaded which forwards some redirects, let's check it b

 Today I'm going to write about the XSS Challenge 1021 from Intigriti which I was able to manage! Summary The XSS challenge  hosted by Intigirti occurs once a month, you can follow them on Twitter to stay tuned about upcoming challenges and other nice infosec contents, I really recommend you to try those challenges as it is a good source for learning and they are always very challenging. The challenge was available on https://challenge-1021.intigriti.io/ Context The challenge was about executing an XSS where alert(document.domain) would be executed and it could not be a self-XSS. part 1 of 2 - challenge page Reconnaissance The page was composed by the Instructions as well as an Iframe with the page below. Reading the message we can see an information that could be relevant during the tests, a request parameter ?html= . Also, as there is only an Iframe and no input field, the only way to insert the XSS would be through the url. part 2 of 2 - challenge page Checking the page using t