One Payload for Bugbounty(X$$)!

One night out of nowhere I was thinking can you actually earn in bug bounty with just one payload?? and guess what I tried it immediately, I created a user in hackerone and started looking for just 1 target(AssetType:domain | wildcard).

Now I found my target : [Redacted].com (Sorry can’t disclosed yet :( ) now that I have my target I think which vulnerability I will focused on Injection? nah too complicated and I don’t think I can work with one payload here, that’s when it hit me

XSS since I can use only one payload for this and have a larger scope(Stored,Reflected and DOM) sadly Self-XSS sometimes is out of scope unless we can leverage it or chain it to have a huge impact. So now I have my target, what type of vulnerability I will focus on and next what payload should I use?? I decided to use

<iframe onload=alert(document.domain)>

Why? why not LOL. more straight forward easy to use and there are pros and cons in using ready made payloads triggers WAFs for known payloads but my focus here is that anyone starting bug bounty you don’t need too much scripts, high-end devices or whatnot all you need is One payload and patience :) to start.

disclaimer “Using ready made scripts will help you as long as you understand what’s the use and(don’t be a scriptkiddie download&fire kinda guy) read it, mod it based on your preference”

Now I started to use my payload on the target’s text fields search bar, login fields like literally ALL checking for any self XSS if it doesn’t trigger it I will proceed to look for any fields that can be saved to the application like e.g(Sign-up,Comment,Description etc…) then fill all those fields with our payloads, after that will review our HTTP history and check for URL’s where we can append our payload for Reflected & DOM based attacks.

Note: After you find an XSS it is time to find a way to increase it’s severity look for any AccountTakeOver(ATO) scenario, unprotected cookies etc…

Will this work? Absolutely!!!

You can make this as a starting point of your bug bounty career while learning on How your XSS works is it the .html of the jQuery?? or is it something else? Goodluck on your bug bounty career!