From Recon to DOM-Based XSS

I was doing some google dorking to find out if there’s any interesting files or parameters in the bug bounty program scope so i’ve tried alot of dorks and it was the turn of this one “ site:*.REDACTED.com inurl:file “ and then i found this endpoint : https://REDACTED.com/files/file.htm
and there was some listed articles in the page so i navigated to an article and the url changed to be like this:
https://REDACTED.com/files/file.htm#article1.html
after about 5 minutes i’ve figured out that any thing that you’ll put after “#” it will reflect in an IFRAME html tag
so i tried to open an external domain:
https://REDACTED.com/files/file.htm#http://evil.com
and guess what?

and then tried to inject XSS payload “javascript:alert(1)” and it worked!
https://REDACTED.com/files/file.htm#javascript:alert(1)

I hope you guys like the writeup it’s pretty simple as you see
regards,
Abdelfattah.