XSS on Sony subdomain

Gökhan Güzelkokar
Jan 6 · 2 min read

Hi guys. This is my first bug bounty writeup. I started to bug bounty on july 22, 2019. I want to share with community all the vulnerabilities I have found.

I choose for large scope programs when looking for bug bounty programs and for improve myself I don’t care about bounty now. So I chose SONY.

I started with subdomain enumaration. Firstly, I used crt.sh and I use the following to find potential sub-domains.










Sometimes just random letters..






I found this one (ppf.sony.net). Then, I used assetfinder and httprobe by tomnomnom for subdomain enumeration and I found a deep sub-domain. Here is our target sub-domain. authtry.dev2.sandbox.dev.ppf.sony.net

assetfinder -subs-only ppf.sony.net | httprobe


Then, I used dirsearch for secret directories. The default page appeared.

dirsearch.py -u “authtry.dev2.sandbox.dev.ppf.sony.net” -e html,json,php -x 403,500 -t 50

Also, phpinfo is a information disclosure. I submitted another report

When I visit to index.php I got this page.

As you can see we have 2 parameters and if you have parameters on the empty page, firstly try to get XSS. I tried get xss on the page and I got !!

Also my favorite payload : <img onerror=”{alert`1`}” src>

Thank you !!!

Gökhan Güzelkokar

Written by

ISTE https://twitter.com/gkhck_ https://hackerone.com/0x496 https://github.com/gkhan496/ https://m.youtube.com/channel/UCF75UK6iUcHxUdC8OMw7w4A

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade