It’s been a while since i posted a writeup so i thought it would be wise to make one for beginners.
So to begin i want to answer some questions, what is Cross-site Scripting(XSS)?
Cross-site Scripting(XSS) is a really well-known vulnerability that occurs because applications take user inputs in an unsecured way. There is other types of XSS vulnerabilities too but today i am going to talk about Reflected Cross-site Scripting.
Lots of wannabe bug bounty hunters thinks that xss just copying and pasting <img src=x onerror=alert(1)> everywhere and expecting to see a pop up on the screen. What xss really about is actually the context. So let’s say the XSS context is into an HTML tag attribute value, you might be able to terminate the attribute value, close the tag and create a second tag which will store your payload. Unfortunately in most cases, angle brackets will be blocked or encoded.
But if you know about XSS contexts, you may still be able to terminate the attribute value and create a new attribute that will store your payload. I.E
" autofocus onfocus=alert(document.domain) x="
To close up, i am going to talk about my finding.
I found an error page on webarchive, there was a parameter called result in the url but site wasn’t showing anything. So i thought it’d be wise to look at the source code of the site and to my luck the parameter was reflecting inside of a script tag. If you were to just paste“><img src=x onerror=alert(1)> into the parameter, you wouldn’t see any pop up. You need to close the script tag first and create a new tag that will store your payload. The final payload i used as a PoC in my report was
</script>"><img src=x onerror=alert(1)>
Reported On: 11/10/2022
Triaged On: 11/11/2022
$$$ Bounty Paid On: 11/15/2022
Triaged in 1 day and i got paid $$$ bounty in a week. It was one of the fastest paid report.