Bypassing WAF and got XSS in DOD

Hello all, In this post I will share about the how I found RXSS on DOD.

https://hackerone.com/reports/1834042

During my latest security testing, I set my sights on the Department of Defense’s website and chose example.com as my target. My first step was to use subfinder to search for any subdomains associated with the site. Once I had a list of subdomains, I used waybackurls to extract the URLs associated with each subdomain. With this information, I was able to use the nuclei tool to gather data on each of the URLs.

As I sifted through the data, one particular message caught my attention. It stated that the dochelper of Swagger UI was vulnerable to XSS attacks. Realizing the potential danger of this vulnerability, I began checking the issue manually.

At first, my attempts to inject the payload were unsuccessful as it was being rejected by the WAF. However, I didn’t give up easily and decided to use Burp Suite to modify the request. This tactic allowed me to bypass the WAF and successfully trigger the XSS attack.

https://media.tenor.com/RekkwdPLdxYAAAAC/charlie-brown-snoopy.gif

As a result of my discovery, I promptly reported the vulnerability to the relevant authorities, allowing them to take the necessary steps to fix the issue before any real harm was done.

This is a short summary of how I found an reflected XSS vulnerability. Thank you for your time, and happy hunting! ❤