[Bug Bounty] A Tale of 7 Vulnerabilities

Dear Readers, today i want to share my story on how i want to buy my new Laptop (Macbook Pro would be cool) so the notebook costs round about 1700$  with the help of BugBounty Money i want to buy it $$$.

So what i’ve done first is to look at a list of bug bounties, and the one i choosed Paypal. After visiting their Page (https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issues) i saw some interesting things.

The following domains are included for the paypal.com family of companies:

  • PayPal.com
  • Zong
  • BillMeLater
  • Where
  • Card.io
  • Billsafe

So Zong is in Scope for the Bug bounty, i did a quick reverse DNS Lookup on Zong and found out that they have a domain called dev.zong.com, with a port 8080 open. After some research i found out that there was a Tomcat service running, when it asked me for the credentials i tried what everyone else would try … admin:admin and gues what ? It was successfull.

1. Apache Tomcat Manager Common Administrative Credentials (http: dev.zong.com)


So my first Vulnerability, so proud!

After a couple of hours i got the Answer from Paypal : Duplicate =  0$ for me. So a little bit disappointed but i want to go on further.

So my journey went on… i wanted to have a closer look on Paypal. Paypal has the option of sending invoice to customers, with the ability to also add Products, what i quickly found out was that the Description field of the Products is vulnerable to XSS with the following payload “#“><img src=/ onerror=alert(1)>”. And i was like Fuck yes! Stored Cross Site Scripting on the main site of Paypal!

so-much-win-tyle-wygrac-2So, how to go further ? The Vulnerability has to be an impcat on other customers of Paypal too. So i created another Paypal account and send the invoice to it. And gues what ? the XSS got executed.


Okay heading over to the Bug Bounty form and filled out my second report :

2. Paypal invoice stored XSS  

Here you can see a working demo

PoC Paypal

So my second Vulnerability worth 750$ if valid…would be half of the Laptop… After about one day Paypal updated my case and this time… ?  Duplicate = 0$ for me.

Okay at this point i was a bit more disappointed but still i don’t want to give up!. This time i wanted to go a bit deeper into the the Paypal subdomains, as i did this i found a domain called financing.paypal.com. This domain allowed a user to gerenate adds for their Paypal site, as i looked at the URL i saw that the Parameter ?120×90 was reflected to the Page, then i tried to inject some XSS and it got executed


Awwwyyyeeaaaahhh and again i filled another Bug Form for Paypal with super description etc:

3. financing.paypal.com reflected XSS

Here you can see a working PoC

After about three days i got an answer from Paypal : Duplicate =  0$ for me

So… after 3 Vulnerabilities… still at 0$ not bad but i am still feeling it astley1*never gonna give you up, never gonna let you down*

After some crying, i started again to look at the subdomains of Paypal what i found this time was a domain called apps.paypal.com, logging in there allowed me to create a new app, to this app i could add files, with the restriction of some file types but anyways. I tried to include some malformed images with xss payloads in them, and they got executed.


Cool yet another Cross Site Scripting… so i filled in another Bug Bounty form.

4. Four stored XSS at apps.paypal.com 

The answer came in pretty quick, they answered me that this issue does not affect any paypal users, they were right… 0$ for me.

So … okay let’s go on further as they write on their blog also domains including paypal-__.com are in scope i went on searching for them. The first one i found was the paypal-communities Page. After some URL Manipulation, Cross Site Scripting, Cookie Playing i was finally able to log into the Administrator Panel of the Community board without any limitations. At this point i wasn’t even realizing that i am the Admin of this board at this Point. i-have-no-idea-what-im-doing-dogreally at this point i had no clue what was going on… Later on the panel i found a box for a “Welcome Message” for the users. I tried my XSS stuff and it got executed (of course i am the f*cking admin right now) but i still wasn’t aware of this fact.

Screenshot 2013-12-06 16.58.47So i filled in the Form

5. stored Cross Site Scripting on paypal-communities.com okay then i pressed send and went back to the board, then suddenly, i realized that there are some strange things going on here, i can do some changes to user groups, there is a Group called “Admin” “Paypal” “Users” i can delete them… may i be admin? Yes i was admin… So i was like


Full RETARD… Okay filled in another Form again!

5.5 Privilege Escalation on Paypal-Communities.com (Admin) after sending the message, my Burp session got killed, i exited without saving my results. After half an hour a reply from Paypal came in, they need more information on this, a way on how to reproduce the whole thing, then i tried to go back on the page to see if it still works, but nope “Module not found” they already fixed the bug.

0$ for me. 

After banging my head 20 times against the wall i went on with my search. This time i searched on paypal-marketing.com, on this page there was a search form for finding paypal partners near you, after some time i found out that the search form was vulnerable for reflected XSS

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/#z=%23%E2%80%9C%3E%3Cimg+src%3D/+onerror%3Dalert%281%29%3E&r=DEU Sending this URL to a Paypal User i could steal the Cookie. 


So filled in yet another form :

6. paypal-marketing.com XSS in the Search field (ZIP or Postal Code)

After a few days, i got the same ol’ answer from Paypal

Hi Patrik,

Thanks for contacting us. While your submission is a duplicate as it was discovered by another researcher it is currently scheduled to be fixed.

So still 0$ for me. 

So this time i thought i have to be more creative. So i went back to apps.paypapal.com and saw that they have a tool to check the spelling of what someone is writing. Digging deeper i found out that this tool is doing an API call to another Domain, within this call the user is able to set a name for the Dictionary used, the Dicitonary name is Vulnerable to stored XSS.

paypalcookieAfter recognizing this, i wondered how to exploit this particular issue, i had the following idea, i copied the Api call to the third Party Application, then i shortened the link with bit.ly and then i sent the link to a user. When the User klicks on this link, a cookie with the XSS is stored now on the Victims Computer waiting to be executed.


The fun part of this Cookie is that it expires on Friday Jan 1 2038 so if a users klicks on the Dictionary option one time in 14 years the XSS gets executed. A szenario a bit weird, but it works. If you want to see a working demo, see here: https://www.youtube.com/watch?v=aPYRqXakyB8

So i tried my best, filling in the next report:

7. Cookie Injection stored XSS on apps.paypal.com

The response was quite dissapointing, the report was marked as invalid due to the fact that there is too much user input required….

so … here we go again 0$ for me.

So after 7 Bugs, my resumee 5 of them were duplicates and 2 of them were invalid, i have to be honest to myself, i suck at bug bounty, but how to pay the new Macbook ?


Sums it up. All the best 🙂

IT-Securityguard – Patrik Fehrenbach


3 Gedanken zu „[Bug Bounty] A Tale of 7 Vulnerabilities

  1. Nice findings buddy. But it’s not about your luck it’s about paypal cheating on researchers . Every bug cannot be duplicate , come on. Paypal sucks at bug bounty. :\

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.