3 reflected XSS in one program
Hello everyone, in this blog post, I would like to discuss the Reflected XSS vulnerability I discovered.
What is Reflected XSS?
Reflected Cross-Site Scripting (Reflected XSS) is a type of web security vulnerability that occurs when a web application reflects user-supplied data in its responses without properly validating or sanitizing it. This can allow attackers to inject malicious scripts into the application, which are then executed in the victim’s browser.
Unlike Stored XSS, Reflected XSS relies on tricking a user into clicking a malicious link or interacting with a crafted input, making it an “on-the-fly” attack
I was hunting in a VDP program on Hackerone. The scope covered all relevant domains connected to the company.
First I normally start collecting subdomains but this time I wanted to find different subdomains with a google dork like below:
site:*<*.target.*
site:*>*.target.*
Then I found a subdomain like jobs.target.com and tried to find something there.
When I browsed the site with Wappalyzer, Cloudflare and a few other things were present on the site.
I then started surfing the site a bit and came across a link. It was like this:
jobs.target.com/?……&myname=…..¶m2=…..¶m3=…… these parameters were not reflected anywhere on the page but when I browsed the source code it was successfully reflected.
I was getting blocked by cloudflare when I tried html injection,xss
Then I clicked on a different page on the same site where there was a search feature similar to the previous page. When I tried the same parameters on this page, the parameter values were successfully reflected both on the page and in the source code.
I then tried the following payload for 3 parameters:
</script><img src=xss onerror=alert(1)>
and xss was working successfully.
I created a separate report for each parameter and sent it. Unfortunately all 3 reports were closed as duplicate
Good reading for everyone, stay healthy.