RSS
 

BlankMediaGames/Town Of Salem XSS

03 Jan 2020

While looking on the BlankMediaGames.com website (creators of Town Of Salem) I came across an api.php file which one inside one of the folders listed in the sites robots.txt  file.

The file in question is:

Upon visiting the page we get the following output with a 200 response code:

At first I thought this was a hidden API but it turns out to be nothing more than a simple echo script. I suspected the script takes in some input as GET or POST parameters so we use a script called parameth to bruteforce the GET and POST parameters using a dictionary attack.

We run the script with the following parameters:

The argument --sizeignore  allows us to ignore responses that have a particular size (in our case 19 bytes). Typically we’d use the response code to filter out default responses but in this case the response code was always 200.

We find the following inputs:

Therefore, the two input GET parameters are hello and request. These parameters are echo’d to the page without any input sanitation meaning the original PHP script would look something like this:

As a result this script is vulnerability to XSS:

Output:

 

 

Timeline

01/01/2019 – Reported to BMG
03/01/2019 – Patched by BMG.

 
No Comments

Posted in XSS

 

Leave a Reply