While exploring CarGurus’ bug bounty program, I discovered a reflected XSS vulnerability on their subdomain dealercentre.cargurus.co.uk. This writeup details the steps I took to identify and exploit the vulnerability using WordPress enumeration tools and a known vulnerable plugin.
Subdomain Enumeration
CarGurus’ bug bounty program accepts reports for subdomains of cargurus.co.uk. To begin my reconnaissance, I used Assetfinder to enumerate subdomains.
Command:
assetfinder --subs-only cargurus.co.ukResult:
I identified the subdomain dealercentre.cargurus.co.uk, which was running WordPress.
Scanning for WordPress Vulnerabilities
To identify potential vulnerabilities, I used WPScan, a popular WordPress security scanner.
Command:
wpscan --url https://dealercentre.cargurus.co.uk/ --enumerate vp,vt --api-token [token]--enumerate vp,vt:vp: Enumerate vulnerable plugins.vt: Enumerate vulnerable themes.
Discovery of Vulnerable Plugin
WPScan revealed that the website was using an outdated version of the Sassy Social Share plugin, which is known to be vulnerable to Reflected Cross-Site Scripting (XSS).
Exploiting the Vulnerability
Using the Proof of Concept (PoC) provided on WPScan, I tested the reflected XSS on the following URL:
https://dealercentre.cargurus.co.uk/blog/april-2023-uk-vehicle-availability-index/?a"><script>alert(1)</script>When this URL is accessed, the payload executes, resulting in an alert box appearing in the browser.
#HappyHacking
Leave a Reply