OLX Bug Bounty: Reflected XSS

Who would have thought that there was even a bug that we could find on page 404 Not Found right?

This time I wrote up when I found Reflected XSS on one of the domains in-scope by OLX, sharjah.dubizzle.com.


Step to Reproduce

  • Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert(1337) codelatte="/2018/10/10/commercial-land-for-sale-in-al-sajja-12/ (you can copy and paste).
  • XSS is reflected inside HTML Link tag
  • Press ALT + SHIFT + X in keyboard to trigger XSS payload.
  • Alert will showing up.

After the bug was fixed, my name entered on the Security Hall of Fame 😎

Reference

https://hackerone.com/reports/504984 (Original Report).
https://portswigger.net/blog/xss-in-hidden-input-fields (XSS in hidden input fields).

PS: Sorry, maybe there are some irreverent words. It’s semi-google-translate. Hopefully you understand that xD