From Recon to DOM-Based XSS

I was doing some google dorking to find out if there’s any interesting files or parameters in the bug bounty program scope so i’ve tried alot of dorks and it was the turn of this one “ site:* inurl:file “ and then i found this endpoint :
and there was some listed articles in the page so i navigated to an article and the url changed to be like this:
after about 5 minutes i’ve figured out that any thing that you’ll put after “#” it will reflect in an IFRAME html tag
so i tried to open an external domain:
and guess what?

and then tried to inject XSS payload “javascript:alert(1)” and it worked!

I hope you guys like the writeup it’s pretty simple as you see