Alert: Reflected XSS Detected

Hello Hackers, Today in this write-up I am going to tell you how I bypass WAF and found 3 RXSS vulnerability in the same domain with the same techniques.

So let’s call the target website as target.com. I have done all the recon stuff like using subfinder, google dorking but I never found this subdomain ever special thanks to AbhirupKonwar bhaiya for giving this amazing google dork.

When I search with this google dork I found subdomain called xyz.target.com. Now simply I open this website and just clicking on everything.

And I found this url:

Now I just randomly add testing word in the dispenserid parameter and to my surprise it reflect as it is in the source code:

So, I think like why not try to add some html in place and I add this payload:

payload: “><h1>testing</h1>

people who don’t know why I used “> before h1 tag then to escape the double quote (“”) and also anchor tag(<a>) I used “> before the payload and now in source code the url became something like this:

and you can see our payload successfully works and we successfully escape anchor tag and execute h1 tag. And that time I feal like yes it is working so I quickly typed another payload to test Reflected XSS.

Payload I used: “><script>alert(1)</script>

As I used this payload and what I see 403 forbidden 😭. And my heart broke 💔. But after testing I understand that script tag is whitelisted so I tried with another well know payload:

payload: “><img src=x onerror=alert(1)>testing</img>

And this time yes my payload works. as I cannot show you popup because it reveals company but you can see our payload works.

And finally I reported this bug to the company.

After submitting this bug, I think why not try with another two parameters like model and lang?

Let’s see how model parameter works:

Firstly, I executed as it is above payload but it is not working as it simply executing as it is you can see in the source code like this:

and in the anchor tag it is not reflecting

So, I thought how I can execute payload from the title tag and that time in my mind come with the amazing payloads list called XSS Polyglot Payloads

You can see there as I copy the first payload which is this one:

payload:
jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e

and to my surprise this time payload got executed and I got another RXSS 🤑

then I quickly report this one also to the company.