Finding 5 in a single parameter What? How did that happen? 

GET /whoami HTTP/1.1 Jasmin Landry JR0ch17 …. Full time bug bounty hunter (sort of) Full time Dad (sort of) 

GET /agenda HTTP/1.1 • Web Application Context • Approaching the app and setting a goal • Doing recon • Exploitation • Recap of the bugs and mitigation 

GET /context HTTP/1.1 • Private bug bounty program • Job search web application • Users could simply sign up to look for jobs • Organizations could subscribe and post jobs, schedule interviews, etc • For testing purposes, I fortunately had access to a user account and employee account 

GET /approach HTTP/1.1 • Look at the app as if no other hacker has looked at it yet • Identify what could be impactful for the company • CTF Mindset -> Creating a fake flag 

GET /recon HTTP/1.1 • Recon != Subdomain Reconnaissance • Browse the application like a regular user • Enable all possible features –> Expanding the attack surface • Reading JavaScript files • Identify potential attack scenarios 

GET /exploitation HTTP/1.1 • User input accessible to employees -> Stored XSS? • Back to the drawing board • Resume File Upload? -> Docx file converted to a PDF? Interesting • Back to the drawing board, again • Organizations can reach out to users, even if they don’t have a resume? -> Interesting, profile info is getting parsed. But where and how? 

GET /exploitation?page=2 HTTP/1.1 • When doing my initial phase of browsing, none of my payloads reflected on the organization side? • The application suggests potential users for specific jobs -> Maybe blind XSS? 

GET /exploitation?page=3 HTTP/1.1 • Blind XSS worked (on the address field), we have our first bug! –> It literally triggered seconds after I put my payload • Interesting file:// URL instead of the regular http:// or https:// 

GET /exploitation?page=4 HTTP/1.1 • If we look closer at the User-Agent -> Most likely an automated job • Which is great since we can easily test other payloads • One path in particular is the name of the software used • It’s actually an HTML to PDF converter? 

GET /exploitation?page=5 HTTP/1.1 • But where is the PDF file being generated? • After a long search and help from the program’s dev, we found it was in an S3 bucket. Great! • Installed the software locally, tested it and found that we can read local files with iframes • • Win! Bug #2 • We can also get an SSRF by fetching internal HTTP resources • • Win! Bug #3 • To me this was a single bug since it had the same root cause, but they actually considered them 3 separate bugs! 

GET /exploitation?page=6 HTTP/1.1 • After talking with the dev about these bugs, they looked up the code to see what exactly was happening • Turns out, they would also parse it to XML -> XXE? • You guessed it, it worked! • PoC was simply to show it made requests to my own server • Keep in mind, we’re still in the address field! • Awesome, because of my address, I’ve found 4 high-impact bugs! 

GET /exploitation?page=7 HTTP/1.1 • But wait, there’s more! • The dev reached out to me saying this • Could there also be email HTML injection? • Of course! Though these emails were used internally, and I couldn’t see them, the dev confirmed it worked! • So we have 5 bugs now, again simply from my address. 

GET /recap HTTP/1.1 • User inputs their address -> 3 separate functions were called • HTML file dynamically created and generated into PDF • Blind XSS, Local File Read, SSRF • Parsed into XML • XXE • Parsed into HTML used for internal emails • Email HTML Injection • For fun, I created this polyglot PoC that would trigger all the vulnerabilities at the same time. • %xxe;]>

test



GET /mitigation HTTP/1.1 • Sanitize user input • All bugs were possible because there was no sanitization on the 3 functions that used my input • Upgrade vulnerable software • The XML parsing software used an old and vulnerable version of library which had a known XXE CVE • 0days -> 2 CVEs assigned for vulnerabilities identified on the HTML to PDF converter software 

GET /thanks HTTP/1.1 Thank you for listening Questions? More questions? DMs are open on and