文章描述了一次发现并利用反射型XSS漏洞的经历。该漏洞存在于help-ads.target.com网站,并成功绕过Amazon CloudFront的WAF防护,在Safari浏览器上执行。作者通过测试多种payload,最终发现URL参数s未被正确清理,导致漏洞存在。 2025-9-10 05:44:22 Author: infosecwriteups.com(查看原文) 阅读量:19 收藏
Introduction
In the world of bug bounty hunting, discovering browser-specific vulnerabilities can be both challenging and rewarding. Recently, I came across a reflected Cross-Site Scripting (XSS) vulnerability on help-ads.target.com that bypassed Amazon CloudFront's Web Application Firewall (WAF) protections but executed successfully on Safari browser. This write-up details the process of identifying, exploiting, and reporting this issue.
Discovery
While testing the help-ads.target.com domain, I initially attempted a standard XSS payload:
<a href="JavaScript:alert(1)">Test XSS</a>Unfortunately, Amazon CloudFront’s WAF effectively blocked this and other similar payloads. However, I realised the parameter s in the URL was reflecting input without proper sanitisation. This prompted me to test payloads targeting browser-specific behaviours.
Failed Attempts
I experimented with various payloads using different HTML tags, JavaScript event handlers, and encoding techniques. Some of the payloads tested included:
- Inline event handlers:
<a onclick="alert(1)">Click me</a>2. Escaped characters and hexadecimal encoding:
<a href="javascript:\u0061lert(1)">Click me</a>如有侵权请联系:admin#unsafe.sh