DEV Community

Anton
Anton

Posted on • Originally published at therceman.Medium

$350 XSS in 15 minutes

Hello ๐Ÿ‘‹

This is my first and last Bug Bounty Writeup this year. ๐Ÿ˜€

I am sharing with you my latest XSS finding, which Iโ€™ve found 2 weeks ago.

This was the fastest and a bit unusual flow that I normally do when I search for XSS.

So letโ€™s dive inโ€ฆ

  • Company asked me to retest an old XSS report.
  • Iโ€™ve checked that XSS and confirmed that it was fixed properly.
  • The specific endpoint had name a param that was vulnerable to Reflected XSS injection.
example.com/profile?name=<img+src=1+onerror=alert(1337)>
Enter fullscreen mode Exit fullscreen mode
  • Iโ€™ve started to search for a bypass and used the Search function in Chrome Developer tools to search this endpoint /profile in all JS files to check for another vulnerable param, but found another endpoint:
example.com/services
Enter fullscreen mode Exit fullscreen mode
  • The first idea that came to my mind was to put this URL in the google search engine and see if this endpoint was cached somewhere on the google web space with params.
  • After the first try, I found a cached endpoint with params on the first page of the results, the endpoint had ID param and some other params.
example.com/services?id=123&page=Demo
Enter fullscreen mode Exit fullscreen mode
  • Iโ€™ve added my payload qwe'"<X</ to the ID param and started to check if anything is reflected somewhere on the webpageโ€™s source code.
example.com/services?id=123qwe'"<X</
Enter fullscreen mode Exit fullscreen mode
  • Besides that, Iโ€™ve opened the Network tab in Chrome Developer tools to check all requests that this endpoint might send somewhere.
  • After the second refresh of the page, I found an interesting AJAX request that used the JSONP callback param together with the ID param from the endpoint itself. The AJAX request URL was similar to this:
lib.com/find?id=123qwe&jsonp=cb12
Enter fullscreen mode Exit fullscreen mode
  • The first thing that I tested was the JSONP param itself, to see if I can change it to an alert function with a custom parameter
  • To my surprise, there was no check for JSONP value, so I easily changed it to alert(1337);
  • Now it was time to check the ID param once again and see if it accepts other symbols, for example, % sign to craft an encoded payload in order to add custom parameters to AJAX URL.
  • Iโ€™ve changed the endpoint URL to
example.com/services?id=1%26jsonp=alert(1337);%23
Enter fullscreen mode Exit fullscreen mode
  • When JS processed it, it transformed %26 to & and %23 to #. Everything that is behind the # (hashtag) symbol is ignored by the browser. The final AJAX call looked like this:
lib.com/find?id=1&jsonp=alert(1337);#&jsonp=cb12
Enter fullscreen mode Exit fullscreen mode
  • Using this AJAX URL manipulation (parameter pollution attack) I have successfully triggered an alert box with text 1337. This confirmed the DOM XSS vulnerability existence and I have received a $350 bounty, with an additional $50 for a retest of an old report.

Thanks for reading!


P.S. Iโ€™m working on a book for beginners in Bug Bounty world. This book will include Networking, HTML & JavaScript basics, a short description of widespread vulnerabilities, and an in-depth analysis of XSS vulnerability with examples, tips, tools, and tricks. At the end of the book, I will teach you how to create and deploy your own NodeJS service for testing Blind-XSS / SSRF vulnerabilities.

P.S.S. Stay tuned for updates and donโ€™t forget to subscribe at least somewhere so you wonโ€™t miss any info regarding the book.


Happy Holidays & Happy New Year! ๐ŸŽ„


Sharing Bug Bounty Tips on

๐Ÿ”ธ LinkedIn ๐Ÿ”— https://linkedin.com/in/therceman

๐Ÿ”ธ Instagram ๐Ÿ”— https://instagram.com/therceman

๐Ÿ”ธ Telegram ๐Ÿ”— https://t.me/therceman

๐Ÿ”ธ TikTok ๐Ÿ”— https://tiktok.com/@therceman

๐Ÿ”ธ YouTube ๐Ÿ”— https://youtube.com/therceman

๐Ÿ”ธ Twitter ๐Ÿ”— https://twitter.com/therceman

Anton (therceman)

Top comments (0)