OLX Bug Bounty: Reflected XSS
1 min readMar 13, 2019
Who would have thought that there was even a bug that we could find on page 404 Not Found right?
This time I wrote up when I found Reflected XSS on one of the domains in-scope by OLX, sharjah.dubizzle.com.
Step to Reproduce
- Visit
https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert(1337) codelatte="/2018/10/10/commercial-land-for-sale-in-al-sajja-12/(you can copy and paste). - XSS is reflected inside HTML Link tag
- Press
ALT + SHIFT + Xin keyboard to trigger XSS payload. - Alert will showing up.
After the bug was fixed, my name entered on the Security Hall of Fame 😎
Reference
https://hackerone.com/reports/504984 (Original Report).
https://portswigger.net/blog/xss-in-hidden-input-fields (XSS in hidden input fields).
PS: Sorry, maybe there are some irreverent words. It’s semi-google-translate. Hopefully you understand that xD
