Member-only story
Finding Reflected XSS In A Strange Way
Today I will be talking about finding a reflected XSS (“Cross Site Scripting”) vulnerability in a very popular bug bounty program and walk through the details regarding how I came to find this bug and why it was a very interesting finding which may be the first of its kind.
Overview
Throughout this post, I will be going over the details of how I found an XSS vulnerability on a bug bounty program this year. Bug bounty programs or BBPs are companies that allow ethical hackers to analyze their software/application and attempt to find vulnerabilities either for an award, recognition, or experience.
This bug came to me while actually utilizing a website for personal purposes, this was because I decided to still pay attention to details and see if I could find any strange behavior while using the site regularly. Which resulted in a great outcome since I came across this very strange bug which was considered a high severity issue by their team. For those who are unaware, we will first go over what exactly an XSS attack is and how it’s leveraged by attackers.
What Are XSS Attacks?
XSS (Cross-Site Scripting) is a vulnerability in which attackers are able to provide input into an application that includes a javascript payload to break out of the intended code context and perform unauthorized actions on other users of the site. Therefore, the attacker is able to execute javascript on the vulnerable website, allowing for many dangerous attacks and exploitation opportunities towards other users.
Below you will see a simple XSS payload example:
"><script>alert(document.cookie)</script>In the example above, we use the beginning “> characters to break out of the context of the code, although many other methods can be utilized to do this based on this application such as encoding, obfuscation, file uploads and more.
After breaking out of the expected code, we then would have full capabilities for executing any javascript we want since we no longer are within the intended code field that the input was originated for. With the example above, we inserted a script tag and told the site to execute an alert containing the end user’s cookies when this page…
