OLX Bug Bounty: Reflected XSS
Who would have thought that there was even a bug that we could find on page 404 Not Found right?
This time I wrote up when I found Reflected XSS on one of the domains in-scope by OLX,
Step to Reproduce
https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert(1337) codelatte="/2018/10/10/commercial-land-for-sale-in-al-sajja-12/(you can copy and paste).
- XSS is reflected inside HTML Link tag
ALT + SHIFT + Xin keyboard to trigger XSS payload.
- Alert will showing up.
After the bug was fixed, my name entered on the Security Hall of Fame 😎
https://hackerone.com/reports/504984 (Original Report).
https://portswigger.net/blog/xss-in-hidden-input-fields (XSS in hidden input fields).
PS: Sorry, maybe there are some irreverent words. It’s semi-google-translate. Hopefully you understand that xD