Unlocking My First Bug Bounty: The Power of XSS Exploits Revealed!

I never had thought that ill write a blog about my journey from a script kiddie to a hacker, but here i am sharing my experience as a bug bounty hunter.

So, first and foremost i want to share my thought process while i started my journey as a bug hunter. As, we all know that there is lot of crowd everywhere it can be VDP program’s or BBP programs so it’s hard to choose where can we apply our skill’s right to get the satisfactory output.

But, at last we end up frustrating our minds and end up with nothing.

As, per my experience find a program that has lot of subdomain’s which eventually increases the scope of positive finding and first please focus on enhancing your skill’s by reading hackerone reports and my recommendation would be if you are a beginner pentesterlab is best.

Now, let’s hop on to the bug which got me my first bounty.

The bug i found was Reflected XSS on a private program on hackerone which for obvious reason i can’t list the name of it.

This program was a website with a unique concept allowing users to access personal computing workspace just by logging in on their website and also didn't have any subdomain’s as it was just new start-up site.

For now we can name it as Hunterxyz.com

The initial goal was to explore the website and run some recon tool’s to gather as many information i can gather i used waybackurls, getallurls, gau, katana tool’s to gather the site endpoint’s

While exploring the site i also found an interesting 2FA bypass which i will elaborate in an other write-up.

After fetching all the endpoint’s i merged into one file using the command

cat *.txt > output.txt

And using uniq i removed the duplicate’s

cat output.txt | uniq > unique_urls1.txt

Filter the query url’s using

grep ‘=’ your_urls_file.txt > filtered_urls.txt

Now, that we have ton’s of filtered url’s we can test for XSS manually with or payload’s or using Intruder tab of burp suite (only in case if the website doesn't any kind of WAF) or else we can use fuff and check the response.

After, testing through payload’s with different parameters i came across an interesting parameter called hunter.args=

I tested different encoded payloads at last a payload gave me and reflected output and BOOM!!! we got the our payload working.

The payload which worked for me was :

%3CSvg%20On%20Only%3D1%20Onload%3Dalert(%22hunter%22)%3E
<Svg On Only=1 Onload=alert(“hunter”)>

I was rewarded 150$ in total 100$ for the bug and 50$ for retesting.

In conclusion, my recommendation while testing for XSS is please

first pick a payload

Check in the source code if it is reflecting or not.

Modify according to the tag

I have seen many bug hunter’s are executing the payload without even looking at what’s going on in the background.

For example if the payload should be executed in <script> tag so don’t use <script> while executing the payload.

At last, ill share the resource where i have gained all my valuable cybersecurity knowledge with the best instructor’s teaching and making you do it ourself

https://dictechnology.in/

I hope this write-up help’s you understand the concept of xss

Thank you

If you like my write-up please do support me:

https://ko-fi.com/hunterdawn