Reflective XSS and Open Redirect on subdomain

Hi Again! So here is one more writeup on a simple bug I found on subdomain.

As always I looked up for subdomains using Sublist3r tool.

While I was browsing through subdomain ,I noticed a functionality where a user could choose some filters from dropdown and create a PDF report of the data which was generated.

I quickly selected some values and generated the report.When I Opened the Report ,I noticed that the URL had an extra parameter Target which had the file location for the PDF file.

On seeing Target parameter in URL, my instant thought was to test for Open redirect .So I entered Target parameter value as and I noticed it was actually taking user to

Vulnerable URL :

Next was to check if the same parameter was vulnerable to XSS as well. I gave the Target parameter value as javascript:alert(1) and as I was suspecting alert box popped up.

I reported this issue to Indeed Via Bugcrowd and the bug was resolved within a week.As part of fix, they completely removed this functionality from the site.

For any question,You can get in touch with me @syntaxerror

Untill next time