My Journey to Finding Two XSS Vulnerabilities on a Bug Bounty Website

1 day ago 6
BOOK THIS SPACE FOR AD
ARTICLE AD

Mickael Benlolo

Bug bounty hunting can sometimes feel like searching for a needle in a haystack. Hours of digging, testing payloads, and analyzing behavior can lead to dead ends, but every once in a while, perseverance pays off. This story is about how I discovered two XSS vulnerabilities in a bug bounty website. Along the way, I nearly gave up but eventually found success that renewed my hope. Here’s how it happened.

The hunt started with an analysis of the website’s structure. Like any bug hunter, I meticulously combed through the various pages, URLs, and parameters looking for anything unusual. One parameter caught my attention: /?fv=.

At first glance, it seemed like any other query parameter, but its usage intrigued me. Could it be vulnerable to XSS?

I began testing the /?fv= parameter with a variety of XSS payloads. Some of the initial payloads I tried included:

<script>alert("XSS")</script>"><img src=x onerror=alert(1)>"><svg onload=alert("Hacked")>

For hours, nothing worked. I started to feel like this parameter was a dead end. But then, something interesting happened.

I crafted a slightly modified version of one of my payloads:

/?fv=%3C%2Ftitle%3E%3CScRiPt%3Ealert%28%27MICK19J%27%29%3C%2FsCrIpT%3E

(Decoded):

/?fv=</title><ScRiPt>alert('MICK19J')</sCrIpT>

To my surprise, this one worked! The alert box popped up, confirming the presence of an XSS vulnerability.

Screenshot:

XSS Vulnerability #1!

This small success reignited my determination. I reported the vulnerability but didn’t stop there. I felt there might be more to uncover.

Encouraged by my first find, I decided to explore other parts of the website. That’s when I stumbled upon the /memegen/?open_img_url= parameter. Given its name, I suspected it accepted user-provided input to fetch or display an image. This immediately piqued my interest because parameters like these are often prone to XSS.

I started testing the parameter with similar payloads, but this time, I focused on image-based vectors. After several attempts, I struck gold again with this payload:

/memegen/?open_img_url=%22%3E%3CScRiPt%3Ealert%28%27MICK19J%27%29%3C%2FsCrIpT%3E

(Decoded):

/memegen/?open_img_url="><ScRiPt>alert('MICK19J')</sCrIpT>

Sure enough, the alert box popped up again, confirming another XSS vulnerability.

Screenshot:

XSS Vulnerability #2!Never Give Up: After hours of testing the first parameter, I almost gave up. If I hadn’t kept going, I wouldn’t have found the vulnerability.Modify Your Payloads: Subtle changes to payloads can make all the difference. The key to success was tweaking my approach and adapting to the context of each parameter.Explore Every Corner: Finding the second vulnerability in a completely different part of the site showed me the importance of exploring thoroughly.

This experience reinforced that persistence and creativity are critical in bug bounty hunting. Finding two XSS vulnerabilities on the same website was incredibly rewarding, and it all started with a single parameter that looked mundane at first glance.

If you’re a fellow bug bounty hunter, I hope this story inspires you to keep pushing forward. Happy hunting!

Read Entire Article