My First 0day Exploit (Reflected XSS) #BUGBOUNTY

Hi guys!


  1. When I went to , saw this code block:

2. Then I thought about which characters I could use. So, I went to:”’<>/();

Then I saw I could not use </script><img src=v onerror=alert(1)> for get xss. I thought I will not bypass it, but maybe I can add javascript. So, I can get xss. After researching javascript for a while, I created the required block of code:

); alert(document.domain); if (1

When I go to; alert(document.domain); if (1 , I saw the xss alert ;)

Some popular companies are using this script. Example;

  • Shopify
  • Canva
  • Yelp
  • Western Union
  • Cuvva etc

And reported developer’s bug bounty program. Then, this’s fixed.

If you want to get more notifications about my works, that’s my Twitter account.