BOOK THIS SPACE FOR AD
ARTICLE ADBug bounty hunting can sometimes feel like searching for a needle in a haystack. Hours of digging, testing payloads, and analyzing behavior can lead to dead ends, but every once in a while, perseverance pays off. This story is about how I discovered two XSS vulnerabilities in a bug bounty website. Along the way, I nearly gave up but eventually found success that renewed my hope. Here’s how it happened.
The hunt started with an analysis of the website’s structure. Like any bug hunter, I meticulously combed through the various pages, URLs, and parameters looking for anything unusual. One parameter caught my attention: /?fv=.
At first glance, it seemed like any other query parameter, but its usage intrigued me. Could it be vulnerable to XSS?
I began testing the /?fv= parameter with a variety of XSS payloads. Some of the initial payloads I tried included:
<script>alert("XSS")</script>"><img src=x onerror=alert(1)>"><svg onload=alert("Hacked")>For hours, nothing worked. I started to feel like this parameter was a dead end. But then, something interesting happened.
I crafted a slightly modified version of one of my payloads:
/?fv=%3C%2Ftitle%3E%3CScRiPt%3Ealert%28%27MICK19J%27%29%3C%2FsCrIpT%3E(Decoded):
/?fv=</title><ScRiPt>alert('MICK19J')</sCrIpT>To my surprise, this one worked! The alert box popped up, confirming the presence of an XSS vulnerability.
Screenshot:
This small success reignited my determination. I reported the vulnerability but didn’t stop there. I felt there might be more to uncover.
Encouraged by my first find, I decided to explore other parts of the website. That’s when I stumbled upon the /memegen/?open_img_url= parameter. Given its name, I suspected it accepted user-provided input to fetch or display an image. This immediately piqued my interest because parameters like these are often prone to XSS.
I started testing the parameter with similar payloads, but this time, I focused on image-based vectors. After several attempts, I struck gold again with this payload:
/memegen/?open_img_url=%22%3E%3CScRiPt%3Ealert%28%27MICK19J%27%29%3C%2FsCrIpT%3E(Decoded):
/memegen/?open_img_url="><ScRiPt>alert('MICK19J')</sCrIpT>Sure enough, the alert box popped up again, confirming another XSS vulnerability.
Screenshot:
This experience reinforced that persistence and creativity are critical in bug bounty hunting. Finding two XSS vulnerabilities on the same website was incredibly rewarding, and it all started with a single parameter that looked mundane at first glance.
If you’re a fellow bug bounty hunter, I hope this story inspires you to keep pushing forward. Happy hunting!