I was explaining the work of Samy Kamkar to one of my friends. Samys site has so many easter-egg like challenges. We are not allowed to view the source code using normal methods like ‘right-click’ , ‘Inspect element’ , ‘Ctrl + shift + I’ etc. Then I tried the following snippet.
I was able to see the source code that was extracted from the DOM for the Samy’s website.
You guys can go to https://samy.pl and try to right-click, view his source code using ctrl + u or even go to another tab and type:
Lastly, try to view the source using inspect element and I think you will be surprised. Do comment if you find any other way to view the source code.
Then I started going through everything that was on the website. I saw that he was using JS code to detect proxies like Burp, Charles & Fiddler. I dug deeper to see everything he was using to make the awesome website that he has. Sometime later I found a suspicious “jsonp endpoint” that was used to reflect the public IP address of whoever is requesting his website.
Verifying proxy tools.
This code was verifying if the user was logged in or not.
The endpoint was something like https://samy.pl/ipp.php?jsonp=st then it would reflect something like this
After finding the endpoint I started altering the endpoint. First I removed ‘st’ from the endpoint and I saw that it was also removed on the reflected output.
I then altered furthermore by adding ‘<>’ which was successfully reflected on the site.
When I saw that the greater than and smaller than symbols were reflected I straight jumped into using my custom script to reflect a cross-site scripting vulnerability that was successfully executed and that was how I was able to perform XSS on Samy.pl.
R-XSS DOM Overwrite
- June 6, 2019 — Report Sent
- June 7, 2019 — Fixed & allowed to publish by Samy Kamkar
I have found in my past experience that even some top security researchers from HackerOne have had their site hacked or other security researchers have discovered some type of vulnerability. No matter how much people claim to have their site/system it is 100% secure or no matter how much a person is experienced it is only a matter of time and the amount of knowledge to discover a new or even existing flaw.