BugBountyTraining Lab: FastFoodHackings Part 1

What’s up hackers? Hope y’all doing great. To sharpen my hacking and hunting (bug hunting) skill, I often solve various labs and search for more to solve. Portswigger is my first place of choice. But on Bug Bounty community I saw many hunters recommending BugBountyHunter.com to practice. Though they suggested to have a subscription which allows you to access their private labs but you still can try the free ones. In this article I’ll talk about the free lab by Sean (zseano) called FastFoodHackings.

Note: You have to try everything manually here. No automation, no brute forcing, no Nuclei/Nikto/Nessus. Just pure brain power.

As usual I opened up the lab and started checking the functions. I got couple of things here, like: login, apis, booking. But what I do when I approach a target is, to look at the JS files. And there were two of them at absolute bottom of the the Mariana Tranche. Both of them are script that made by the site developers not from some 3rd party. So you know what time it is. Code analysis time.

One of the JS files contains some code which, upon inspecting for a moment I figured out, is handling redirection. But how exactly? Well let me explain this:

const redirectUrl = urlParams.get('from');
const redirectType = urlParams.get('type');

Here in this code you can see the script taking 2 inputs via 2 parameters called from and type and assigning them into 2 variables called redirectUrl and redirectType . Now if you look down a bit, you will see the function that is handling the real redirection:

if (redirectUrl === null) { 
    // No redirect.
} else {
 if (redirectType == '1') {
  window.location.href=getHashValue("redir");
 } else {
    document.getElementById("returnurl").style.display="block";
    document.getElementById("redirectUrl").href=redirectUrl;
    document.cookie = "from="+redirectUrl+"; expires=Thu, 20 Dec 2021 12:00:00 UTC";
}

First it’s checking if the variable redirectUrlis empty or not. If it’s not empty, it will move to the second condition and this time it will check the value of redirectType. If the value is 1, it will now check the value of redir parameter in the url. Pint here that it’s inside the getHashValue() function which takes value from the parameters comming after the # in the urls like: www.something.com/index.php#redir=heheboi

After getting the hash value, it redirects you to that value location. So if we sum it up we will get:

1. from parameter passed into redirectUrl variable which can not be null
2. type parameter passed into redirectType variable which needs to be equal to 1
3. redir parameter which will contain link to redirect.

Putting all of them together we will get……

I’ve told you everything you needed to exploit the Open Redirect and also the XSS. Now go and try it by yourself. For the stragglers, the XSS payload that I used is javascript:alert(document.domain).

That’s it. Hope y’all got what you needed. I’ll publish other write-ups soon. Till then, sayonara.