From Recon to DOM-Based XSS

I was doing some google dorking to find out if there’s any interesting files or parameters in the bug bounty program scope so i’ve tried alot of dorks and it was the turn of this one “ site:*.REDACTED.com inurl:file “ and then i found this endpoint : https://REDACTED.com/files/file.htm
and there was some listed articles in the page so i navigated to an article and the url changed to be like this:
https://REDACTED.com/files/file.htm#article1.html
after about 5 minutes i’ve figured out that any thing that you’ll put after “#” it will reflect in an IFRAME html tag
so i tried to open an external domain:
https://REDACTED.com/files/file.htm#http://evil.com
and guess what?

and then tried to inject XSS payload “javascript:alert(1)” and it worked!
https://REDACTED.com/files/file.htm#javascript:alert(1)

I hope you guys like the writeup it’s pretty simple as you see
regards,
Abdelfattah.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store