Page 204 - Hands-On Bug Hunting for Penetration Testers
P. 204

Other (Out of Scope) Vulnerabilities                                       Chapter 12

            Sandboxed and Self-XSS ` Low-Threat XSS

            Varieties


            Self-XSS is a variety of XSS that relies heavily on social engineering, which is the primary
            reason it is excluded from most bug bounty programs. Sandboxed XSS, a similar term for a
            related strain, is typically used to describe an XSS vulnerability that happens on a machine
            isolated from sensitive user data or operations. Since Self-XSS refers to the specific
            phenomenon of executing code within your browser environment to make yourself
            vulnerable to an XSS attack, it also means that your XSS bug is isolated in terms of what
            information it can access.

            For Self-XSS to take place, the attacker must get the victim to execute code within the
            browser context. That execution is what makes the victim susceptible to further exploitation
            by the attacker.

            A simple example of self-XSS in action would be as follows:
                   1.  An attacker advertises a hacking-kit-in-a-box - H4x0rs l18e 1337! or whatever the
                      kids say these days. All you have to do is copy this code snippet and paste it into
                      the developer console of your browser.
                   2.  You, beautifully gullible, happily copy the code and paste it into your console,
                      imagining the terror of your digital wrath.
                   3.  Instead of hacking someone else, the code you pasted into your console just
                      exposed you to hackers. Any sensitive session cookies or information available in
                      your browser is now the property of a shadowy cabal of cyberanarchists.

            For an example of this in action, check out the link in the Further reading section for a write-
            up of a very similar scam that got passed around on Facebook a few years ago: the post
            (also) encouraged you to follow the directions to hack any Facebook account, (also) asking
            you to copy and execute code in your developer console, and (also) hacking you when you
            actually complied.

            Because this particular bug, like so many of these un-rewardable, almost-vulnerabilities,
            requires either action outside the application context (a phone support worker initiating a
            change under the influence of social engineering) or other application-based vulnerabilities
            to be present and ripe for exploitation, it falls outside the scope of most programs and is not
            eligible for a reward.

            Even as companies write guides to avoiding these kinds of scams, they're limited in terms
            of the preventative action they can take: there's only so many ways to secure a house if the
            owner is intent on giving away their keys.


                                                    [ 189 ]
   199   200   201   202   203   204   205   206   207   208   209