├── All Group user account takover via Stored XSS.md
├── xss.md
├── xmlrpc.php FILE IS enable it can be used for Bruteforce attack.md
├── Stored_XSS_in_bio_+_CSRF_leads_to_full_account_takeover.md
├── CSRF while leave group leads to force victim to leave any group.md
├── Stored XSS + CSRF leads to full account takeover ( In Bio URL ).md
├── CSRF in "Join Group" Button leads to send request to join Arbitrary group from victim's account.md
├── SQLI at : group.php?group_id=.md
├── README.md
└── Database_Sensitive_Information_Disclosure.md


/All Group user account takover via Stored XSS.md:
--------------------------------------------------------------------------------
 1 | # All Group user account takover via Stored XSS
 2 | 
 3 | ## Affected URL
 4 | https://social.barracks.army/post_detail.php?post_id=7fc3d225-f786-4ac8-8c72-d29b80797ce2
 5 | 
 6 | ## Vulnerability Type
 7 | Cross-Site Scripting
 8 | 
 9 | ## Description
10 | content= FILED is vulnerable to xss
11 | 
12 | ## Impact
13 | Ato of all users via stord xss , Cookie steling run javascript
14 | 
15 | ## Steps To Reproduce
16 | Create post with this payload : <script>alert(document.cookie)</script>
17 | 
18 | ## Remediation
19 | Add client side fielter
20 | 
21 | ## CVSS
22 | 8.5
23 | 
24 | ## Username
25 | Null_traiger 2
26 | 


--------------------------------------------------------------------------------
/xss.md:
--------------------------------------------------------------------------------
 1 | # xss
 2 | 
 3 | ## Affected URL
 4 | http://social.barracks.army/group.php?group_id=g1h2i3j4-k5l6-7890-g1h2-i3j4k5l67890
 5 | 
 6 | ## Vulnerability Type
 7 | Cross-Site Scripting
 8 | 
 9 | ## Description
10 | go to the http://social.barracks.army/group.php?group_id=g1h2i3j4-k5l6-7890-g1h2-i3j4k5l67890 and in the content parameter type paylaod <image/src/onerror=prompt(document.cookie)> and it shows you cookie of user.
11 | 
12 | ## Impact
13 | cookie
14 | 
15 | ## Steps To Reproduce
16 | go to the http://social.barracks.army/group.php?group_id=g1h2i3j4-k5l6-7890-g1h2-i3j4k5l67890 and in the content parameter type paylaod `<image/src/onerror=prompt(document.cookie)>` and it shows you cookie of user.
17 | 
18 | ## Remediation
19 | block user input for special charactors and html tags
20 | 
21 | ## CVSS
22 | 5
23 | 
24 | ## Username
25 | rakesh
26 | 


--------------------------------------------------------------------------------
/xmlrpc.php FILE IS enable it can be used for Bruteforce attack.md:
--------------------------------------------------------------------------------
 1 | # xmlrpc.php FILE IS enable it can be used for Bruteforce attack
 2 | 
 3 | ## Affected URL
 4 | http://shop.barracks.army/xmlrpc.php
 5 | 
 6 | ## Vulnerability Type
 7 | Others
 8 | 
 9 | ## Description
10 | The website http://shop.barracks.army/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. WordPress that has xmlrpc.php enabled for pingbacks, trackbacks, etc.
11 | 
12 | ## Impact
13 | This method is also used for brute force attacks to steal the admin credentials and other important credentials
14 | 
15 | ## Steps To Reproduce
16 | 1. go to http://shop.barracks.army/wp-json/wp/v2/users/ here we can find 2 users : dev dev and root
17 | 2. now go to http://shop.barracks.army/xmlrpc.php and intercept the request
18 | 3. send it to the intruder and change request method to post and put this `<methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>dev dev</value></param> <param><value>pass</value></param> </params> </methodCall>`
19 | 4. here we can see that we have username and with xmlrpc we can do the no rate limit to get users password.
20 | 
21 | ## Remediation
22 | Disable the xmlrpc.php
23 | 
24 | ## CVSS
25 | 6.5
26 | 
27 | ## Username
28 | test
29 | 


--------------------------------------------------------------------------------
/Stored_XSS_in_bio_+_CSRF_leads_to_full_account_takeover.md:
--------------------------------------------------------------------------------
 1 | # Stored XSS in bio + CSRF leads to full account takeover
 2 | 
 3 | ## Affected URL
 4 | http://social.barracks.army/profile.php
 5 | 
 6 | ## Vulnerability Type
 7 | Others
 8 | 
 9 | ## Description
10 | The identified vulnerability is a combination of Stored Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) affecting the user profiles within [Application Name/URL]. This vulnerability allows an attacker to execute malicious scripts within a victim user's session, potentially leading to a full account takeover.
11 | 
12 | ## Impact
13 | Full account takeover
14 | 
15 | ## Steps To Reproduce
16 | 1. Login into domain http://social.barracks.army/
17 | 2. Go to edit profile and enter following payload in bio section &quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
18 | 3. Now intercept the request in burp suite -> Right click on it -> "Engagement Tools" -> Generate CSRF POC
19 | 4. Save that file as ANYNAME.html and host it on any website.
20 | 
21 | Now when victim will open this file and click on submit ( or we can create POC with autosubmit too), his bio will updated with our XSS payload and attacker will get victim's cookie ( via webhook )
22 | 
23 | ( Remote JAVASCRIPT EXECUTION )
24 | 
25 | ## Remediation
26 | Input Validation and Escaping: CSRF Protection:
27 | 
28 | ## CVSS
29 | 9.3
30 | 
31 | ## Username
32 | Null_traiger
33 | 


--------------------------------------------------------------------------------
/CSRF while leave group leads to force victim to leave any group.md:
--------------------------------------------------------------------------------
 1 | # CSRF while leave group leads to force victim to leave any group
 2 | 
 3 | ## Affected URL
 4 | http://social.barracks.army/leave_group.php
 5 | 
 6 | ## Vulnerability Type
 7 | Cross-Site Request Forgery
 8 | 
 9 | ## Description
10 | if you want to leave the group, you need to send a post request and you need to click on "leave group" That post request is vulnerable to CSRF
11 | 
12 | ## Impact
13 | Attacker force victim to leave any group
14 | 
15 | ## Steps To Reproduce
16 | CSRF while leave group leads to force victim to leave any group
17 | 
18 | ## Steps to Reproduce:
19 | 1. Login into your account at http://social.barracks.army/
20 | 2. Go to "my_groups.php" and you will see groups in which , you are member
21 | 3. Now if you want to leave the group, you need to send a post request and you need to click on "leave group"
22 | 4. That post request has no csrf protection so you can force any victim to leave the group
23 | 5. Click on "leave group" in my_groups.php -> intercept the request in burp suite -> Right click on it -> "Engagement Tools" -> Generate CSRF POC
24 | 6. Save that file as ANYNAME.html and host it on any website.
25 | 7. Now when victim will open this file and click on submit ( or we can create POC with autosubmit too), so this request will force victim to leave group
26 | 
27 | ## Remediation
28 | Add CSRF token
29 | 
30 | ## CVSS
31 | 3.5
32 | 
33 | ## Username
34 | Null_traiger
35 | 


--------------------------------------------------------------------------------
/Stored XSS + CSRF leads to full account takeover ( In Bio URL ).md:
--------------------------------------------------------------------------------
 1 | # Stored XSS + CSRF leads to full account takeover ( In Bio URL )
 2 | 
 3 | ## Affected URL
 4 | http://social.barracks.army/profile.php
 5 | 
 6 | ## Vulnerability Type
 7 | Others
 8 | 
 9 | ## Description
10 | I would like to report a critical security vulnerability discovered in the Profile URL section of your web application. This issue allows an attacker to execute a stored cross-site scripting (XSS) attack and exploit Cross-Site Request Forgery (CSRF) to achieve full account takeover, putting user data and system security at risk.
11 | 
12 | ## Impact
13 | Full Account Takeover
14 | 
15 | ## Steps To Reproduce
16 | 1. Login into domain http://social.barracks.army/
17 | 2. Go to edit profile and enter following payload in profile URL section &quot;&gt;&lt;/img&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
18 | 3. Now intercept the request in burp suite -> Right click on it -> "Engagement Tools" -> Generate CSRF POC
19 | 4. Save that file as ANYNAME.html and host it on any website.
20 | 
21 | Now when victim will open this file and click on submit ( or we can create POC with autosubmit too), his bio will updated with our XSS payload and attacker will get victim's cookie ( via webhook )
22 | 
23 | ( Remote JAVASCRIPT EXECUTION )
24 | 
25 | ## Remediation
26 | Input Validation and Sanitization: CSRF Protection: Content Security Policy (CSP): Regular Security Testing: Security Awareness Training:
27 | 
28 | ## CVSS
29 | 9.3
30 | 
31 | ## Username
32 | Null_traiger
33 | 


--------------------------------------------------------------------------------
/CSRF in "Join Group" Button leads to send request to join Arbitrary group from victim's account.md:
--------------------------------------------------------------------------------
 1 | # CSRF in "Join Group" Button leads to send request to join Arbitrary group from victim's account
 2 | 
 3 | ## Affected URL
 4 | http://social.barracks.army/all_groups.php
 5 | 
 6 | ## Vulnerability Type
 7 | Cross-Site Request Forgery
 8 | 
 9 | ## Description
10 | Here, If a normal user want to join any group, he/she has to send a request to join that group.
11 | 
12 | Now for sending request, user needs to click on "Join Group" button from Page "all_groups.php" which has no CSRF protection So, Attacker can forcefully send request to join any group from victim's account
13 | 
14 | ## Impact
15 | Attacker can forcefully send request to join any group from victim's account also victim may feel trust issue towards website because he did not send any request to join group
16 | 
17 | ## Steps To Reproduce
18 | 1. Login into your account at http://social.barracks.army/
19 | 2. Go to "All Groups" and there will be some group and you need to send request to join any group.
20 | 3. Click on "Join Group" button to send reuest.
21 | 4. Intercept that request in proxy like burp suite -> Right click on it -> "Engagement Tools" -> Generate CSRF POC
22 | 5. Save that file as ANYNAME.html and host it on any website.
23 | 6. Now when victim will open this file and click on submit ( or we can create POC with autosubmit too), the request will generate to join that group from victim's account
24 | 
25 | ## Remediation
26 | Implement CSRF protection in all POST request
27 | 
28 | ## CVSS
29 | 4.6
30 | 
31 | ## Username
32 | Null_traiger
33 | 


--------------------------------------------------------------------------------
/SQLI at : group.php?group_id=.md:
--------------------------------------------------------------------------------
 1 | # SQLI at : https://social.barracks.army/group.php?group_id=
 2 | 
 3 | ## Affected URL
 4 | https://social.barracks.army/group.php?group_id=
 5 | 
 6 | ## Vulnerability Type
 7 | SQL Injection
 8 | 
 9 | ## Description
10 | SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.
11 | 
12 | ## Impact
13 | A successful SQL injection attack can result in unauthorized access to sensitive data, such as:
14 | ```
15 | Passwords.
16 | Credit card details.
17 | Personal user information.
18 | ```
19 | SQL injection attacks have been used in many high-profile data breaches over the years. These have caused reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.
20 | 
21 | ## Steps To Reproduce
22 | 1. login to account
23 | 2. go to this group URL : https://social.barracks.army/group.php?group_id=f4f3561a9eb2b83e2b96b715c287ae81
24 | 3. I applied SLEEP command to prove SQLI here is the POC : \<REDACTED\>
25 | 
26 | ## Remediation
27 | You can prevent most instances of SQL injection using parameterized queries instead of string concatenation within the query. These parameterized queries are also know as "prepared statements".
28 | 
29 | reference : https://portswigger.net/web-security/sql-injection#how-to-prevent-sql-injection
30 | 
31 | ## CVSS
32 | 9.9
33 | 
34 | ## Username
35 | pratikpanchal
36 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # BugBountyCTF-Reports
 2 | This repository contains fully disclosed accepted reports of the null Ahmedabad's Bug Bounty CTF.
 3 | 
 4 | ## Reports
 5 | 
 6 | 1. [Database Sensitive Information Disclosure in "/docker-compose.yml"](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/Database_Sensitive_Information_Disclosure.md)
 7 | 2. [Stored XSS in bio + CSRF leads to full account takeover](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/Stored_XSS_in_bio_%2B_CSRF_leads_to_full_account_takeover.md)
 8 | 3. [Stored XSS + CSRF leads to full account takeover ( In Bio URL )](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/Stored%20XSS%20%2B%20CSRF%20leads%20to%20full%20account%20takeover%20(%20In%20Bio%20URL%20).md)
 9 | 4. [xmlrpc.php FILE IS enable it can be used for Bruteforce attack](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/xmlrpc.php%20FILE%20IS%20enable%20it%20can%20be%20used%20for%20Bruteforce%20attack.md)
10 | 5. [CSRF in "Join Group" Button leads to send request to join Arbitrary group from victim's account](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/CSRF%20in%20%22Join%20Group%22%20Button%20leads%20to%20send%20request%20to%20join%20Arbitrary%20group%20from%20victim's%20account.md)
11 | 6. [All Group user account takover via Stored XSS](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/All%20Group%20user%20account%20takover%20via%20Stored%20XSS.md)
12 | 7. [xss](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/xss.md)
13 | 8. [SQLI at : https://social.barracks.army/group.php?group_id=](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/SQLI%20at%20%3A%20group.php%3Fgroup_id%3D.md)
14 | 9. [CSRF while leave group leads to force victim to leave any group](https://github.com/nullahm/BugBountyCTF-Reports/blob/main/CSRF%20while%20leave%20group%20leads%20to%20force%20victim%20to%20leave%20any%20group.md)
15 | 


--------------------------------------------------------------------------------
/Database_Sensitive_Information_Disclosure.md:
--------------------------------------------------------------------------------
 1 | # Database Sensitive Information Disclosure in "/docker-compose.yml"
 2 | 
 3 | ## Affected URL
 4 | https://social.barracks.army/docker-compose.yml
 5 | 
 6 | ## Vulnerability Type
 7 | Sensitive Data Exposure
 8 | 
 9 | ## Description
10 | Sensitive Information Disclosure (also known as Sensitive Data Exposure) happens when an application does not adequately protect sensitive information that may wind up being disclosed to parties that are not supposed to have access to it.
11 | 
12 | ## Impact
13 | The scale of impact from a Sensitive Information Disclosure event is limited only by the type of sensitive information disclosed and a malicious actor’s ability to leverage it.
14 | 
15 | For example, the fallout could be as minor as a local pathname being disclosed in a stack trace, allowing a malicious actor to improve their knowledge of the target’s implementation details, right through to a full-blown data leak involving millions of customers’ confidential data.
16 | 
17 | ## Steps To Reproduce
18 | GO to this direct URL : https://social.barracks.army/docker-compose.yml
19 | 
20 | - You will find database credentials there.
21 | - MYSQL_ROOT_PASSWORD=\<REDACTED\> - MYSQL_DATABASE=\<REDACTED\> - MYSQL_USER=\<REDACTED\> - MYSQL_PASSWORD=\<REDACTED\>
22 | - DONE
23 | 
24 | ## Remediation
25 | Do the following, at a minimum, and consult the references:
26 | 
27 | - Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
28 | - Apply controls as per the classification.
29 | - Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
30 | - Make sure to encrypt all sensitive data at rest.
31 | - Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
32 | - Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
33 | - Disable caching for response that contain sensitive data.
34 | - Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
35 | - Verify independently the effectiveness of configuration and settings.
36 | 
37 | ## CVSS
38 | 6.3
39 | 
40 | ## Username
41 | pratikpanchal
42 | 


--------------------------------------------------------------------------------