How I was able to get private ticket response panel and FortiGate web panel via blind XSS

Hi , readers

In this blog post I’m gonna share my recent finding . So ,first I introduce myself , who don’t know about me I’m Bijan Murmu a noob bug bounty hunter from India . This is my first writeup . I hope you like it .

So , That day I was testing on an e-commerce site . Because It’s private company I can’t reveal the name (policy issue). For further assistance I called this site as seller.redacted.com . After doing some tests on seller.redacted.com I almost found nothing 😞. Hunters will know the pain very well . All the way to give up on that site and move on to another , I forced myself to take a look to the web app for the last time. This time I focused on XSS . Basically I use Burp suite community edition for bug hunting it’s an awesome tool also recommend by Professional bug hunters.

After finished spidering over targeted site I found a suspicious thing. Its like if you enter wrong credentials then an option over login page appeared says “Unable to Login?

I just curious about that option and I clicked on that and a form pop up with some fields to give your information . Filled up all the fields and I gave my blind XSS payload to description field and submit it .

After an hour I receive a lovely notification to my mail which says “XSS payload fired on something.private.redacted.com/#app/secondLevelLead/my/incident/[ticket]/ticketjourny” . I use XSSHunter for blind XSS tests .

blind XSS notification 😍😍

Its totally a great feeling ,but wait I can’t access it , why? After some research I get to know that it is some type of internal infrastructure which only access by the internal staff or need some type of VPN to access it . The panel looks like :

private panel

Ok , thats not a good news.Wait , there also a IP address in that notification which redirect me to FortiGate web panel and that panel has a login page.

FortiGate next-generation firewalls utilize purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance including encrypted traffic. FortiGate reduces complexity with automated visibility into applications, users and network and provides security ratings to adopt security best practices. 

Login panel

After visit the login page I try to bypass login panel using default credential admin/admin. And BOOM!!!! . Logged in to the dashboard .

Login Panel bypassed!!! 🔥🔥

After bypassed every functions are accessible and able to change , In hackers word “I pwned admin panel “.This is how I was able to get into FortiGate panel and able to expose private panel via blind XSS . I hope everyone will like it . Please give me feedback about it . So , I will add improvements in my upcoming posts.

Timeline :

May 29, 2019 – Report submitted to the company via HackerOne.

May 29, 2019 – Respond by HackerOne staff .

May 30, 2019 – Triage by Team member

June 3rd, 2019 – Rewarded $1,250 .

Leave a Comment