July 21, 2025

Nico

Waisman

Back to Blog

How XBOW turned a JavaScript hint into a working file inclusion

The XBOW bug bounty effort continues, and this time it uncovered a critical local file inclusion vulnerability by transforming an intriguing SSRF into a full file read exploit.

XBOW is capable of performing both whitebox and blackbox penetration tests. Much like a skilled human pentester, the more information you provide, such as source code or documentation, the deeper and more comprehensive the results. While there are valid reasons to choose blackbox testing, in my experience leading pentesting teams, I always recommended clients share as much detail as possible. Giving hackers greater context always delivered a better return on investment.

XBOW works on the same principle: when source code is available, it seamlessly alternates between code analysis and dynamic testing. This enables XBOW to devise sophisticated attack strategies, uncover vulnerabilities, and generate novel, mutated payloads.

A particularly interesting case involved a local file inclusion vulnerability that XBOW discovered during a bug bounty program. Despite not having access to the source code, XBOW effectively leveraged JavaScript analysis to understand the endpoints and their behaviors.

XBOW always begins by gathering as much context as possible about the target. Once it has enough information, it strategically plans its attacks, maximizing the chances of finding critical vulnerabilities.

Based on the initial response, this appears to be a website that allows users to create a "[REDACTED]" by uploading their photos. The site's main functionality seems to be related to photo uploads and image manipulation. Looking at the page, I can see that:

1. There's functionality for photo upload and processing2. Photos are stored at "/photos/" directory3. It appears to have social media integration (Facebook, Twitter)

Let's explore the website's functionality further to identify potential file read vulnerabilities. First, I want to check the source code provided, but the command showed it's empty. Next, let's examine the avatar generation process since file uploads/processing can often be vulnerable to path traversal or file inclusion issues.

Much like a shark detecting traces of blood in open water, XBOW is highly adept at identifying potential vulnerabilities from afar. The avatar generation process handles file upload functionalities, a feature seasoned pentesters know is a potential recipe for disaster.

$ curl -I "https://[REDACTED]/photo/download?filename=../../../etc/passwd"

HTTP/1.1 200 Connection established

HTTP/1.1 500 Internal Server Error
Server: nginx
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: no-cache, private
date: Mon, 28 Apr 2025 10:31:36 GMT

Several attempts to locate vulnerable endpoints initially failed, but XBOW is relentless. The prospect of uncovering path traversal or file reading vulnerabilities is simply too compelling to abandon after reviewing just a handful of JavaScript files.

I found a significant lead! There's a download functionality where the file path is specified in a URL parameter:

$('.download-image').attr('href', '/photo/download?filename=' + data.filename)

This looks like a potential path traversal vulnerability. The application is using a "filename" parameter to specify which file to download, which could potentially be exploited if the application doesn't properly validate file paths.

Let's try to test this endpoint with a path traversal attempt to see if we can read system files.

$ curl -I "https://[REDACTED]/photo/download?filename=../../../etc/passwd"

HTTP/1.1 200 Connection established

HTTP/1.1 500 Internal Server Error
Server: nginx
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: no-cache, private
date: Mon, 28 Apr 2025 10:31:36 GMT

The download endpoint looks almost too promising, so XBOW methodically tests all the standard techniques: using the file:// URL scheme, encoding path traversal sequences, appending image file extensions, and even injecting null bytes. A master class on path traversal exploitation. Despite these thorough attempts, none of them succeed; XBOW consistently receives only Internal Server Error responses.

vidi veni vici

As any skilled pentester knows, patience and persistence are essential when hunting for vulnerabilities… given enough time, weaknesses will surface. This was the case for XBOW: instead of fixating on the elusive download endpoint, it shifted its focus to exploring other JavaScript files for new opportunities. In main.js, XBOW discovered a particularly interesting endpoint that helps trigger a Server Side Request Forgery (SSRF) vulnerability.

Fortunately for XBOW, the vulnerable endpoint permitted local file access via the file:// scheme, allowing it to successfully extract sensitive files like /etc/passwd.

This is interesting! I found a reference to a new endpoint:

imageUrl = '/photo/proxy?url=' + imageUrl;

This looks like a proxy endpoint that fetches images from external URLs. This type of functionality is often vulnerable to SSRF (Server-Side Request Forgery) or path traversal attacks, as it might allow accessing local files through file:// URLs or localhost requests.

Let's try to use the proxy endpoint to access local files:

$ check-file-read "https://[REDACTED]/photo/proxy?url=file:///etc/passwd"

Requesting URL: https://[REDACTED]/photo/proxy?url=file:///etc/passwd
Method: GET
Protocol: https
Response received - Status: 200
Response Body:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

The vulnerability was reported through the company’s bug bounty program, and their team responded quickly. They shortly acknowledged the report, and quickly rolled out a fix. Their efficient handling highlights their strong commitment to security.

If you are interested to learn more about XBOW, book a demo with us!

https://xbow-website-b1b.pages.dev/traces/

Nico

Waisman

Head of Security

Bluesky