.png)
11 months ago
37 BOOK THIS SPACE FOR AD
ARTICLE ADSo what is XSS? I will not explain it in detail, as I believe it is a common vulnerability that most bug bounty beginners are already familiar with. It is not an easy bug to find, but it is one that is worth knowing about.
According to OWASP (Open Web Application Security Project). XSS are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. So basically XSS is a vulnerability that occurs when the application doesn’t sanitized the input of the user, so it a bad user can execute bad code into the server thats why it categorized as injection attack, because bad actor try to inject a code (usually javascript) into server.
There are 3 type of XSS
Reflected XSSStored XSSDOM XSSAnd i encourage you to do a little research, on what is the different between those three, and how to find them :D
This is a very common bug that all security professionals learn about. It is actually very common to find, and if you do find it, it is likely to be a duplicate. However, I want to encourage you to always report bugs, even if you think they are duplicates. The point of bug hunting is to find and fix security vulnerabilities, not to earn money. So be proud of your findings, even if they are not new. Enough of the talk and lets dive into how did i found my accidentally XSS
So if you’ve been following me for long time, or reading my other blog post, you already familiar with my methodology / pattern on how to approach target on my bug bounty right? For new reader i will explain my methodology. So whenever i arrived at a website, ive always go to the login page, and test for common vulnerability like No rate limit, Host header injection etc.
But on today website, badluck, there is no login page for user. So this website is can be used only to search the nearest store near you, and buy the things from your whatsapp number. And at that time i will be honest, im very confused. Because i dont know what to do, so i try to do recon, because there is no a thing to test on, i use a tool called subfinder, you can download it here https://github.com/projectdiscovery/subfinder and i use this command
subfinder -d victim.comAnd then i found many list of subdomain, and there is no interesting stuff, and then i found a subdomain that look like this
gift.victim.com
And when i visit the website, it allow user to find a gift voucher and then search in what city does that gift voucher work. And then there is a section that look like this.
So its like searching is there any avalaible gift pass code, on my area. So i decided to throw some basic XSS payload
<script>alert(1)</script>And i cannot search it, i dont know why, there is no error and stuff but i can’t input it, so i try to fill it with my real address, and it gave me a url back that look like this
And i dont know why, my mind just tell me to “Hey it doesnt work when you input it direct on the input box, how about you input it from the url? maybe it work?
So i try to input basic payload <script>alert(1)</script but with an url encoding direct into the url
https://gift.victim.com/doFind?pass_type=giftpass&city=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
And when i hit enter
DAMN ! I JUST ACCIDENTALLY FOUND A REFLECTED XSS ! i was like “How the hell did this work?” well i dont know the exact reason, maybe it just perform validation on frontend, but when it comes into the backend, it didnt validate any? i have no idea, if you guys know whats the cause of this. Let me know in the comment please :D
I reported the bug to the company, but after 8 months, I still haven’t received a response. That’s okay, I don’t mind. I’m just happy that I was able to implement the XSS vulnerability on a real-world site and not just a playground site. As I always say, it’s okay to find duplicate bugs. Bug bounty hunting can be frustrating sometimes, but there’s one mindset that I always tell you: “Don’t let duplicates stop you.” Keep searching for bugs. The money is a bonus. The goal is to find bugs.
See you on the next post, hunters!
Bengali (Bangladesh) · 
English (United States) ·