Hellow bug hunters! I’m back again with another writeup. Mostly I don’t show off my bounties🤑 . But this writeup is not for bounty purpose. I’ll tell you what mistakes I have done and which you shouldn’t repeat for the same bug like I did. I’ll also share with you some tips and obviously bug chaining. So, without any delay let’s start roller coaster ride. 😉
I fired up Burpsuite (Burpi ❤) and spider the whole website. Then suddenly I see that there are no more security headers. Specially XSS protection header. As you know about target there is no functionality to test input validation. There was language/email parameter (e.g. target.com/?lang=en&email=x). I know what you are thinking right now. And I tried simple XSS payload and it worked!! Woohoo… 😍
I started bug chaining. I did HTML Injection. I typed simple HTML code (e.g.<h1>HelloWorldHTMLInjectionHere</h1>) and its executed. What else we can do? Another bug chain is Open redirection via HTML Injection. Yes, you read it right. Payload will look like below:
It will redirect to the example.com. I quickly made poc and write a good report and send it to their security mail. After couple of days I got mail that I am eligible for bounty. And I got 500$. That’s it guys. Keep hunting, Keep Sharing.
Mistakes I had done while testing. There were more than 6 domains which are related to target company. And same bug was there. But I reported only one main domain’s bug and they fixed remaining domains which were also affected to the same bug.
Lesson: If you find a bug check same parameters on in-scope domains.
Tip: If Self XSS is out of scope then you can try HTML Injection, Open Redirection, CSRF, Self XSS to Stored XSS.
Twitter: Dipak Panchal