Bug 1

Try this: /FFH/?tid=lol&cmid=lol Above can be controlled as can be seen in page source.

/FFH/?tid=lol"-alert(1)-"cmid=lol'-alert(0)'

cmid worked since devloper was using only htmlentities. So if you have used \<h2>xss it would not have worked since php htmlentities html encode the h2 tag.

At tid, \<script> is filtered, \<\script> is filtered, ' or " everything is filterd.

Try \<h2>xss in tid

/FFH/?tid=lol\<h2>xss&cmid=lol

It worked so payload shoudl be at tid as :

/FFH/?tid=\</script/x>\<svg/onload="alert(1)">

Bug 2

Log in and go to settings page.

On the www.bugbountytraining.com/FFH/settings.php page:

Send the name as xxx">\<h2>hi

It gave invalid referrer error:

Remove the referer and try the request again.

Change the request method to GET

  • Developer was simply checking for referer header.

Bug 3

On the login form, you can see the page source, there is a Javascript that says if r_url=1 it will take url and put it in redirectURL param.

/login.php?act-login&token=yes&url=http://google.com&r_url=1

Below might bypass this filter as the devloper might be simply checking if url param is a url or not, if it is a url, block it.
Developer use FILTER_VALIDATE_URL to check if its url or not.

/login.php?act-login&token=yes&url=//google.com&r_url=1

you can also double encode https://google.com to bypass the above filter.

Bug 4

From robot.txt page, there is /book.php and /order.php pages available.

Book something with test, test

and capture the request, as you can see there is no CSRF protection token in this.

We can generate the CSRF html payload and send the request using jsfiddle

When we send the request from jsfiddle, we get error, check on burp what happened.

As we can see the request, there is extra = coming in POST request, which is not valid JSON request.

So we change our CSRF payload.

= is coming because it is expcting value as we have put all payload in input name tag, we can put some stuff from the end of payload to value tag of payload.

Developer is messed up here because they didn't validate Content-Type: which is text/plan in this case.

They just checked the payload and they found it JSON so they passed it.

Bug 5

Check the page source of book.php

you cna see that there is a cancel button and there is href associated with it.

/book.php?cancelUrl=javascript:alert(0)

and we are able to change href using this and alert box open.