N/a to $750 bounty for a Blind XSS.

  • I used BHTML payload
  • After some days, www.blindf.com received a response from the vulnerable server.
  • I went ahead and put the basic BXSS payload
  • I waited for 20 days but did not receive a response.
  • Then I used a trick. I put blind HTML payload
  • After some time, I received a response from my BHTML payload, but the BXSS payload did not send any response. I understand that my BXSS payload has failed and it will not send any response now. Because both payloads were submitted on the same day, they should be fired at the same time.
  • www.blindf.com provides other payloads too, with a minimum JS execution. I used a different payload that only extracts cookies and not any DOM values from the page.
  • This payload was executed and I received the basic cookie.
  • Bug Submitted
  • Triager tried to reproduce the bug but failed. So he closed my bug as N/a.
  • I raised the issue. Another triager used a famous website that is used to find the BXSS but did not receive any response.
  • Again closed as N/a
  • I raised the issue again and provided my www.blindf.com account credentials to him to reproduce the bug.
  • I asked him to fill out the form twice, the first time with the BHTML payload and the second time with the BXSS (Cookie extraction) payload.
  • Payloads were executed and www.blindf.com received the response from both payloads.
  • Triaged
  • Bounty received $750

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store