Today I will share a Reflected XSS vulnerability that was reported by me, to a security team as part of their bug bounty program at Hackerone. I became aware of this XSS flaw through a good Google Dork of mine.
Cross-site scripting (XSS) is a web application vulnerability that allows an attacker to inject code (usually HTML or JavaScript) into the content of an external website. When the victim views the infected page on the website, the injected code will be executed in the victim’s browser. As a result, the attacker bypassed the browser’s same-origin policy and was able to steal private information from victims.
Google Dorking is basically a search that uses advanced search query to find information that are not easily available on the websites. They are search strings which you enter into the Google search to find certain vulnerabilities.
Google Dorking is actually quite simple. You just need to know some basics about dorks that can give you the information you need.
intitle:"index of"
intext:"Index of /" +.htaccess
filetype:log
site:medium.comHere can you find more of them: https://github.com/Proviesec/google-dorks
And the Google Hacking Database contains a lot of google dorks that can find vulnerabilities or signs of a CVE: https://www.exploit-db.com/google-hacking-database
- I have search on google with this dork:
site:redacted.com inurl:quiz inurl:& - Then I found only 2 results in the google search and took a deeper look at the first result.
Next steps:
- Go to https://www.redacted.com/lp/ecommerce/commercial-quiz/thanks.html?ques-01=false&ques-02=false&ques-03=true&ques-04=false&ques-05=false&ques-06=true&ques-07=false&ques-08=false&ques-09=false&ques-10=false&score=99
- change the parameter score to
99testme%3CIMG%20%22%22%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E%22\%3E - An alert box with the value of document.cookie pops.
- Then I tried to combine the bug with other bugs. But after 2 days I only reported the XSS bug and got a triple digit bounty for this.
Here are the short Hackeorne report:
Timeline:
Submitted: 18 Jul, 2021
Accepted: 20 Jul, 2021
Triaged: 23 Jul, 2021
Resolved: 25 Jul, 2021
Closed: 08 Nov, 2021
How can you find XSS?
Tools:
- My favorite tool, XSStrike: https://github.com/s0md3v/XSStrike
- https://github.com/hahwul/dalfox
- https://github.com/ssl/ezXSS
- XSS Payload-List: https://github.com/Proviesec/xss-payload-list/
- You can also always find new tools on my Github page, including XSS tools. I only include tools which are also accessible via website or mobile: https://provie.github.io/Provies-Bug-Bounty-Dorking-Site-PBBDS/#XSS
Similar reports:
- https://hackerone.com/reports/191810 / 3,000$ / uber.com
- https://hackerone.com/reports/840759 / 3,000$ / New Relic
- https://hackerone.com/reports/176754 / 2,500$ / Twitter
- https://hackerone.com/reports/470206 / 1,500$ / Shopify
Tip: “Old procedures, many reports, big scops” Don’t let this bother you. Try to find more and more parameters and test them all.
Do your research well before testing XSS. Don’t shoot the payloads on every parameter. Think first, then test the parameters. For example, see if the inputs are reflected or not. And check each parameter before using it to apply payloads.
Here is my Hackerone profile: https://hackerone.com/proviesec
Please feel free to ask me and suggest changes I should consider next time. Thanks for reading anyway 👋.
Do you need antoher good article? -> https://infosecwriteups.com/broken-link-hijacking-404-google-play-store-xxx-bounty-96e79a8dfd71