Cool paste jacking attack earned me $$$

Few months ago I found a cool bug you can also call it as paste jacking attack and I reported this bug and earned $$$, so lets start….

What is paste jacking?

Paste jacking is nothing. It is an exploitation of click jacking in which rather than force victim to click on button we convince them to copy text and paste it in desired text box.

Lets see this in more detail with an example.

I found a website and did basic recon such as enumerating subdomains and looking for open port and services but after enumerating subdomains I found that only app.example.com is in scope so I started looking for subdomains of app.example.com and found a subdomain xxx.app.example.com so when I open this subdomain on my browser I was redirected to app.example.com.

So I was like what the fuck is going on …..

then I started looking for directory so after scanning for valid directory I ended up with a valid /test directory now I have a valid directory so I navigate to valid directory in the hope of getting some juicy stuffs 🙂

But that was just a test directory which is giving me test 1000 times and I was like Oh! man shit so I decided to change directory name from /test to /test1 and BOOM! I got the cookies of current logged in user including email address , csrf token and some other secret tokens.

Now the question arise How can I steal this from other users???

So whenever we talk about stealing information from user then best possible way is by exploiting cors and I started looking for cors at that endpoint but no luck that endpoint was not vulnerable with cors.

Now I was like what should I do now ??? then suddenly I saw that the endpoint doesn’t have any protection for X-Frame which clearly means that this is vulnerable to click jacking so I created a nice proof of concept in which we will convince victim to copy his cookies from the xxx.app.example.com/test1 and paste them in text box and then send this cookies to attackers server and BOOM!

We can successfully steal cookies from other users.

So I reported this bug to company got $$$ and they fixed it.

Then I decided to lets try to bypass this fix and I started reading java script files of app.example.com and found an endpoint xxx.app.example.com/socket and when I open this endpoint I again got the cookies and I was like yeah! again $$$ and I reported it.

After a week I got an email from company and they marked this as duplicate of my previous bug and now they are not even fixing this issue.

Thank you for reading

Instagram :- https://instagram.com/theamanrawat

Twitter :- https://twitter.com/theamanrawat

 

Leave a Comment

Your email address will not be published.