Persistent XSS Art with hacker HaxelL0rd

Hi Haxel0rd, can you give us a short intro about you?
------------------------------------------------------
Yea sure, i'm an older guy who learned (mainly web)hacking in the early days 
and i chosed the GreyHat, meaning i cross borders when it comes to legality- 
sometimes i access stuff i am not allowed to but i only do it out of technical 
interest and never break things or steal data, i just see and forget. For some 
cases i report vulnerabilities, many i just leave as are, and others like for 
aliexpress, i leave a message to sysadmins with suggestions on how to improve. 
My twitter only represents (my sometimes childish side and) private life of 
hacking. Oh i and i love trolling! In my main job, i am a senior pentester 
and i strictly seperate work from how i act privately on my twitter. 


Well then, congrats on making perhaps the most creative persistent XSS.
-----------------------------------------------------------------------
Thank you very much! I am not sure though how many found out that the testimonials 
have websites too, maybe i should have made that more clear in the .html file.
This PoC demonstrated the most harmless impact, which was that you can abuse the 
issue for free webhosting (ali usually sells cloud space for money). But in fact, 
we had a persistant XSS with lots of potential to raise other attacks from there.
(I still hid a persistant XSS, it occurs when clicking on the testimonials website
from "Yosh Smith", at the "PiratesBase" navbar ;)

Basically the open doors for XSS was used to place an own file/website on the CDN servers.
Back in my days this was called a "deface page". This is something the newer generation may 
not know that much, as these were different times and today defaces rarely occur. Before 2012 
about, almost anything in the web was hackable. Hacking was kind of more underground and much 
less destructive than it is today. A deface page just replaced either the index file (landing 
page) of a website or created a file somewhere else in pub www dirs, while leaving rest of the 
website fully functioning intact. It was like a fun competition between SysAdmins and Hackers. 
But times started to change... Some have taken it to far, especially eastern countries stupidly 
used defacing to represent their country flag, while hacking has nothing to do with things like 
nationality. They used exploits to mass-deface thousands of websites at once, or extracting 
sensitive data from databases, resulting in much public attention and attention of the feds to 
hacking in general and it didn't took long until criminals also took note of the capabilities 
of using hacking techniques for frauding purposes. 

Today it's not the hackers anymore stealing money of you, stealing your passwords
or identity... it's regular criminals who just buy 0day exploits from hackers, while
the hackers themselves mostly do not participate in the actual fraud anymore. The reason 
why hackers sell to criminals is, because unfortunately the true criminials are still 
the only ones that understand the real value of a vulnerability or a ready made exploit. 
White hatting does still often not pay out and companies try to buy hackers for cheap, 
or a company has an overall and fundamental wrong understanding of security and dont 
value the reports they receive from hackers/pentesters/researchers. Unless you are hired 
by a company as Pentester, or find extremly critical bugs in VRP's, you most likely have 
to expect to get underpaid for White Hatting. 
(VRP = "Vulnerability Reward Program", the more official term for "BugBounty Program"), 


Getting companies to take security seriously is a pain.
----------------------------------------------------------
Yes, i fully agree on this! I have been a witness myself when in the past dealing with 
companies that didn't understand either the impact/risk of a vulnerability posed, or 
what risk their customers and core business is exposed to. Back in my times it was 
something very unknown- i reported vulns long before platforms like H1 and Bugcrowd 
existed and there where no rules, no guidenlines- no nothing that decribed this process
or made it transparent. It was like the "Wild West". This resulted in a lot of confusion, 
mostly on the side of the companies as they faced something unknown and they didn't know 
how to react or deal with such reports. Some hackers told that companies felt threatened
by a hacking attack and involved the police. Another issue that especially Hackers and 
Pentesters/Researchers know about: "Thank you for reporting critical RCE in our production 
systems, we have fixed it, bye." (Often, researches save the company thousands or even 
million in dollars of damage, but in return, the researches get left with a small and simple
"thank you", or only a low, inadequate ammount of procketmoney). 

Some concepts tried to solve this, platforms like H1 were founded, but they introduced new 
problems and these mostly affected the researchers. Common problems are: slow fixing times 
result in duplicate reports, researchers get baited with worthless swag rewards or just 
"points", private programs allow the stars of platform XY to get fresh attack surface with
low haning bugs, while the rest of the people get access to a program after it was harvested
already- or if the researchers have specific ammounts of points (meaning they have to work 
for free at first to get to ´the interesting stuff), and other issues like absolutely stupid 
set scopes that leave open doors in the full picture of a companies IT-Security concept. 


So Aliexpress runs a BugBounty program right?
----------------------------------------------
Yes, and talking about scope, the CDN domain was not in scope. As far as i know it was in a 
first round, but the time i saw it, the scope was already adjusted to have the CDN domains 
excluded. Maybe they know about the issue and haven't fixed it yet, or they take it as accepted 
risk- where we are back at the point where companies do not fully understand the risk or impact 
of a vulnerability. Not meaning to mock against Aliexpress- any company that decides to run a VRP 
is already step ahead of 95% of the other companies that don't. So i do not mean to criticise 
Aliexpress for their VRP, but they should improve. Also the Bounty ammounts are pretty cheap, 
a company of that size can easily pay more, but then we are back at when i said:
 "companies still try to buy hackers for cheap". 

ANYONE WHOS WHITE-HATTING AND READING THIS: don't sell yourself for cheap, your skills are worth more! 
Stop reporting for free or for points - hacking requires a broad range of knowledge that covers different 
topics from the complete IT sector, this is massive and takes years(!) to learn - let them pay you this 
time just like they pay their coders, their sysadmins, their managers. 

Exception: you are a young teenager that needs to collect some first few references in the IT-Sec field to 
get better chances when applying for a job. 

To Anyone else not fitting in this category but still reporting for free: 
How does it feel to be sold as the "lowbob" of some rich company that massively profits from the hours of 
time YOU have spent learning? While you get left with a "thank you"... yes a warm thank you is also nice, 
but at the end of the day, can you buy your family a piece of bread from this...? 


According to your tweets, you didn't report it then? 
------------------------------------------------------
No, as soon as i spot a flawed VRP i decide to rather dump out a vuln to public and to leave
the companies a message. I don't care about swag, money or "Hall of Fame" entries. In the end 
i have my fun and lulz and a company can benefit from it, if they atelast take some of the info 
and overthink their processes or handling of vulnerabilities. For Ali my suggestion would be: 
expand your scope, raise bounties, take impacts more serious or either be quicker at fixing 
(whatever of the last two applies for the CDN). 


What advice do you have to others dealing with such situations? Should they also go and turn 
a vulnerability into a piece of art to get companies to realize they need to take it serious?
---------------------------------------------------------------------------------------------
Haha thank you considering my deface page as art, indeed i put lots of love and joy into it (: 
First of, i clearly do not encourage anyone to start defacing! While i agree a deface has much 
power of display and draws more attention by a company, defacing a server or website closely 
scratches the border of legality, so be carefull and only do it if you absolutely know what you 
are doing. For this case, i see myself in a safe zone as Aliexpress runs a VRP, but in theory, 
they could still take legal actions on me as my actions left their definition of "safe harbor". 
So either do it anonymously or be carefull when using a doxable identity. Make sure to remember: 
there is always the way to contact a sysadmin via phone or email- SOME companies are pretty up 
to date with security standards and may respond unexpectedly professional to your report or 
even may compensate you. If you have the feeling a company follows modern day it-sec processes, 
then maybe give it a chance. Use the other methods as last solution only.


Will you be making your deface script publicly available? 
---------------------------------------------------------
Well in fact, it already kind of is. All the images, the styles and even the reggae music is 
included in the .html file, there are no external files. The websites of the testimonials 
are single .html files too, except for the .mp3 downloads on the "PiratesBase" website from
testimonial "Yosh Smith" and the linked youtube videos. I made them seperate to demonstrate 
that even other filetypes are possible to upload and for the youtube video, that cross domain 
policicies are weak. The pages of "Jennifer Yang" and the "NSA" are also own .html files. It 
may look all messy though as the resources are included via base64 data urls.

Back in the days each hacker had his own deface page (before the copy pasting started), and 
this was what it was about. I remember a dude called "Starfield", his deface page had a 3D
Starfield animation (fitting to his name) which he completely coded himself with JS. 

So i recommend to not copy paste, rather be creative and come up with your own ideas/style. 


Haxel0rd, thank you for anwering questions to @Planetzuda
---------------------------------------------------------
Thank you for your interest in my work and all the best to @Planetzuda!
Cheers

Don’t miss out on our security tips!

We don’t spam! Read our privacy policy for more info.