Hello InfoSec elites,
I’m going to share a story about how I escalated a low severity bug into a critical one.
I was taking a look at different functionalities of one of the program and it had a Collab feature where we can make notes and share with others. There was an option to export the Notes as PDF. Here without wasting my time I simply added
"><h1>LoL</h1> and exported the same content as PDF and it was executing HTML.
Okay, so now we have one P4. Let’s see if I can escalate this to P2 or P1 maybe?
<img src="x" onerror="document.write('aaaa')" />
Awesome! Now we need to find out where it is executing with the help of “window.location()”
<img src="x" onerror="document.write(window.location)" />
And it returned with following content in PDF:
Since I was able to get the location, I tried to access file:///etc/passwd with the help of document.write() function.
<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
Program manager personally appreciated this report and chose to reward me twice the amount for this bug.
If you have any question related to this post, feel free to comment.