The story behined the Strong XSS filter bypass!

Hi All,

Yeasir Arafat again here to share the latest finds Sharing is Caring!! Today's topic is about to bypassing XSS filters on a Domain & hosting company who runs a public bug bounty program.

I keep my eyes open to the site and try to get any information or help from google like, it’s domain and sub-domains that calls recon.I used these dorks site:*.*” & site:*” to finds it’s sub domain. That’s fun!!

So, the targeted domain is which is out of scope from the bounty.It’s known me that my friend Ahsan leet already found some critical issues and XSS on their site.Lately, I told myself I am going to bypass the protection and set my mind to give full effort on it.

It doesn’t seems easy.The firewall of both domain is blocking me on every payload.

Firewall in main doamain
Firewall of sub-domain

Seems tough! But I am not that kinda guy who will give up early!

Trying after 3 hours I took a exotic payload and encode as an URL that was able to bypass the firewall but couldn’t get the pop-up.I thought I need this kinda payload which is advanced than it.

Still trying

The payload got injected but still couldn’t give me the popup.For bypassing the filter I added similiar payload and boom!

some similiar payload before main payload<a href=”javascript&colon;alert&lpar;document&period;domain&rpar;”>Click Here</a>Some similiar payload after main payload

Finally was able to bypass the protection and got first pop-up.

Feelings after bypassing the protection

Like this techniques, I got the second XSS.Second XSS payload:

some similiar payload before main payload”><iframe/src=javascript&colon;[document&period;domain].find(alert)>Some similiar payload after main payload

Watching the PoC(Proof of Concept) video can you make you clear the issues.


Note: The domain was actually out of scope on namecheap bounty program and hosted by kayako.But it was important XSS for both site that’s why they pay me good bounty.

Bounty time

|>>Special thanks to Brute and Samuel Esteban.

Thanks for reading this article.

Yeasir Arafat