AssalamuAlaikum Everyone. My Name is Farhan aka Fani Malik, a Bug Hunter. So, here I came up with an Interesting XSS Bug that I Found a While ago.
The target didn’t have a bug bounty program, I randomly landed on the site, and after contact with the support team, they allowed me to Hunt on their site. Target was Quite simple with simple functionality. if You give the username of any Instagram Account in the input field then the site will fetch the profile picture of the account and allow you to download the profile picture(Public Profile Pictures Obviously) of the user. if You think the input filed is vulnerable to XSS then You're Wrong Please Continue the Write-up.
first of all, I enumerated all subdomains of the target.com
with subfinder and then subdomain brute-forcing with knockpy, then I used waybackurls to get parameters to test for XSS and then I used gf to get possible XSS parameters. after sorting the URLs I used KXSS And Dalfox. Bad luck I got nothing.
Then I entered an XSS Payload in the user name field, Nothing happened. then I put my Instagram username in the username input field and I was able to Download my Profile Picture.
I thought let’s try something new everyone is pasting the payload in the input field, why should I do the same. Then I entered a simple XSS payload in the Instagram Name field. Just Like Below
then I copied my Instagram username and pasted it in the username field of “target.com”
, and then right-click on my profile and open-Link-in-new-tab
After opening the profile in a New Tab,
BOOM 💥💥💥 XSS Pop up.
target.com
if you are a beginner and don’t know what XSS is then please refer to the below links:-
you can practice on Portswigger labs for hands-on experience.
Thanks for Reading, Expecting a clap from you. If You Have any Questions Below are my Twitter and Instagram profiles. You can DM me at any time.
GOOD BYE :)