The story behined the Strong XSS filter bypass!
Yeasir Arafat again here to share the latest finds Sharing is Caring!! Today's topic is about to bypassing XSS filters on a Domain & hosting company who runs a public bug bounty program.
I keep my eyes open to the site and try to get any information or help from google like, it’s domain and sub-domains that calls recon.I used these dorks site:*.*.namecheap.com” & site:*.namecheap.com” to finds it’s sub domain. That’s fun!!
So, the targeted domain is support.namecheap.com which is out of scope from the bounty.It’s known me that my friend Ahsan leet already found some critical issues and XSS on their site.Lately, I told myself I am going to bypass the protection and set my mind to give full effort on it.
It doesn’t seems easy.The firewall of both domain is blocking me on every payload.
Seems tough! But I am not that kinda guy who will give up early!
Trying after 3 hours I took a exotic payload and encode as an URL that was able to bypass the firewall but couldn’t get the pop-up.I thought I need this kinda payload which is advanced than it.
The payload got injected but still couldn’t give me the popup.For bypassing the filter I added similiar payload and boom!
Finally was able to bypass the protection and got first pop-up.
Like this techniques, I got the second XSS.Second XSS payload:
Watching the PoC(Proof of Concept) video can you make you clear the issues.
Note: The domain was actually out of scope on namecheap bounty program and hosted by kayako.But it was important XSS for both site that’s why they pay me good bounty.
Thanks for reading this article.