PrefaceAwhile back I noticed @Random_Robbie and @Spam404Online reported XSS vulnerabilities in Wappalyzer 's website that were fixed, and seeing that they accepted bug reports for kudo's, I wanted to find some vulnerabilities to report to them.
We first check their website's robot.txt for any sensitive files or end points, which is everyone should do, one of end points was named console which looked interesting. When I visited it, it said "waiting for input followed" and " stop", this looked familiar since on their main page they have a feature called "Analyse a website in real-time" which shows the same dark screen and same message as before. How this end points functions is that you submit a url and it'll crawl that website, showing the directories. The one of the vulnerabilities that was uncovered was being that if the website had several directories then it would put the input into a script block. This end point didn't strip input which allowed me to find a trivial xss involving </script><svg/onload=confirm()>, but this isn't what the post is about. I checked if the end point made a request to any other pages when you submitted url and it made a request to the console end point as I mentioned before. The end point looked like this, wappalyzer.com/console?url= and as most people would of guessed when greeted with this type of parameter is to try to pass the local host address to the end point. First I tried 127.0.0.1, then http://127.0.0.1, both resulted in errors but remembering the site was https, I tried https://127.0.0.1 which resulted in it crawling the directories of the website. Nothing severe yet since it just showed know directories and nothing sensitive, I moved forward to attempting to check ports and protocols of the website. Additionally I tried to check for any form of XSPA vulnerabilities but that resulted in nothing. I checked the common ports and protocols which resulted in the following results,
Which returned a Connection reset by peer error. This an indication that there was an SSH service listening which didn’t like the request.