How I crashed a website with a single line command?
First, don’t do this I myself don’t fully understand why it happened but it did and let me tell you how. So it was a normal boring day for me, reading random pen-test write ups and playing around with Burp suite as always. That’s when I came across the most weird bug I have came across, if that’s a bug at all or something totally different. It amazed me as to what I just did but at the same time I was terrified from within.
Let’s dig in!
So, I was reading these articles at the same time I was trying to see if I could carry out a false payment on that website, let’s say example.com. Now example.com/payment_login, is the login page for the website’s payment portal. Whenever doing a pen-test, keep this in mind that companies might be okay with you crashing down their home page, but never with their payment portals. So, I had already hacked their systems earlier where I got the data of all their users, there login credentials and more, how I did it is a story for different time just know that it happened because of the usage of default passwords.
Using one of those accounts, I logged in the website and was trying to carry out the transaction without having to pay the actual amount, or manipulating it in some way possible. I always love playing around with transactions ’cause I feel that is one of the most important parts of the website. If you don’t secure that, then it is going to hit you the hardest.
Lucky for them, they transaction page was pretty secure and I could barely find a bug, after grinding away 3 hours of the day. Luckily I had Burp turned on the whole time.
Lucky Me or Not so much?
Burp Suite was turned on the whole time I was carrying my pen-test on the payment portal of that website. I was so focused on trying to see each and every part of the packet that was being transferred over via the intercept in the Proxy tab of Burp, that I never opened the Target tab of Burp in the entire time.
Dejected and frustrated, when I was about to stop the pen-test for a while I just opened the Target tab and saw a big red dot, denoting certain vulnerability present on the webpage I was pen-testing.
Its really very rare to see those red dots, cause most of the web developers now-a-days don’t leave such openings in their websites. I was excited to have finally found something at last. To be true I was a bit surprised to see the red dot, I read everything about the particular vulnerability below in the advisory section documented by Burp.
Creating the Payload
Once I understood the XSS problem, then I went over through the html source code to give me an idea as to where I should insert the XSS payload and what it should be like. It was pretty easy as I didn’t have to apply brain to encode them and all. The characters like <, ‘ and “ were already allowed as it was stated in the issues section. So I transferred the intercept packet to the repeater and this was the payload and the response I got back when I forwarded it in the repeater.
When I saw the response, I was actually confused as to what happened. I couldn’t understand why wasn’t it working properly in the repeater. So to check it out I immediately went over to the browser and refreshed the webpage and guess what do I see there.
As soon as I saw this I knew I was in trouble, I thought they blocked my IP or traced me and have blacklisted me. Later on, I realised I crashed up their website. I couldn’t believe myself that an XSS attack ended up doing this ( I still don’t, feel free to explain why it happened in the comments ). The website remained down for half an hour before someone noticed it and told them. I was in total disarray that half an hour.
Never, ever do the next steps that I carried out. Do not try this at home!
I did the dumbest thing ever in my pen-testing history. I had to be sure that it was my payload that caused the website to crash and not some coincidence. So, I sent that packet once again when the website was up and yes, it crashed again. This time around the website was up in 10 minutes or so.
Don’t tread in areas you don’t understand, ‘cause one small mistake can cost the corporation a lot of money which is surely gonna bite you back. Try to be as clear as possible about the outcomes of what you are trying to do.
Above all if something bad happens don’t try to carry it out again to check if it was you or a coincidence no matter how tempting it might be.
Never, try and crash a website as sometimes small things are overlooked by the devs but something this big is rarely missed and can have serious repercussions.
If you enjoyed it please do clap and happy hacking!
I need to mention this specifically that I was only able to find this bug because I had XSS Reflector extension installed in my Burp Suite. Few people mentioned it to me later on and to check it out, I carried out the scan without the extension and like they said I wasn’t able to find the bug.
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]