DEV XSS Protection bypass made my quickest bounty ever!!

Hi All,This is Yeasir Arafat here.I would love to share my last XSS which made my fastest bounty ever.I believe sharing is caring :D

So, this time I was able to bypass protection also able to manage some bounty with quick time.I have got some cool swag and little bounty to them before reporting this XSS to them :) .I had found HTML injection on their public discussion.At that time I was able to inject malicious script with HTML.

example of malicious script :

<a href=\”https://attacker/phish.php\"><img src=\”https://attacker/content.jpg\"></a><script>

After reporting this issue to them they filtering any malicious script with normal XSS payload.At that time me and my friend Shawar Khan tried to convert it to XSS but no luck :( .

After getting some cool swag they announced their bounty program.I thought why not some bounty also?

As bcz limited scope in DEV I start looking for XSS.I dropped some common payload like img src/svg onload bla bla bla but their firewall blocking me all the time.I put some advanced payload and see the response is different from other payloads.Like below picture,

i-frame vulnerable

This was interesting,I thought may be i-frame payloads can trigger XSS here.Bit moment later I put advanced i-frame payload and got the stored one that can bypassed their filtering protection.Payload:

<iframe src=”data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”></iframe>

Why this payload??

As I stated before that, after reporting HTML injections they filtering any malicious script but I noticed that their comment box is vulnerable to i-frame injections.Then I start looking for advanced i-frame XSS payload in Google found some and works that i-frame payload :) .

I quickly report it to them and got their fast response with 150$ bounty in less than 30 minutes.Which was my fastest bounty ever.

PoC video

Thanks

Yeasir Arafat

Web Application Security Researcher