Unique XSS Earned Me a $$$ Bounty

Hello, Enthusiastic Community! 👋

I’m excited to share my latest experience with you all. As many of you know, bug bounty hunting is both a thrilling and rewarding journey. Recently, I managed to discover a unique XSS vulnerability that earned me a good bounty!

Recently, I chose a target using Google dorking. Later, I emailed them about the status of their bounty program via the provided email address. Within two hours, I received a reply from the team stating that the bounty program is active. I then started hunting on this domain and tested every possible case to find a vulnerability, but nothing worked.

Then, I stopped for a day, took a fresh start in the morning, and revisited my previous notes. I noticed there is a ‘Help Me’ page option in the configuration tab.

I thought I had to take a closer look at the field. Then, I injected an XSS payload, which threw me out with a message saying that only valid URLs are allowed. I captured the link and input a malicious XSS payload.

It accepted the payload, and I observed that there was only client-side validation on the field. Yay! I felt like I almost had the XSS, but when I visited the ‘Help Me’ page, the XSS payload was not triggered.

That’s because there is an attribute called ‘target=_blank’ which executes the payload in another tab.

It wasn’t worth much. After some research on how to override the ‘target=_blank’ attribute, I found nothing. But after watching some PoC’s, I saw one guy override it by clicking the mouse wheel, which opens the page in a new tab within the same domain.

Finally, the payload was executed on the client side.

The Bounty

I immediately reported it through the bug bounty platform, explaining the nature of the vulnerability and the impact it could have on user privacy and security. To my delight, the platform awarded me a bounty for discovering the XSS vulnerability. The bounty was a nice reward for my efforts, but the real satisfaction came from identifying the flaw and helping to fix it.

Thank you for your time!!!

Connect with me: https://www.linkedin.com/in/prasad-kuppili/