Cross-site scripting: The power of the hidden parameters.

Hey everyone! This is another XSS writeup that you can learn from, a strange one in fact.

It’s my first writeup so be kind to me. I am just trying to share my findings.

Like any other bug hunter, one day I had the urge to look for a bug, so while browsing HackerOne programs, my eyes caught Sony’s program.

Let’s test sony I said.

I started my recon by opening google and playing with some dorks such as site:*.sony.*

After a while, I found the domain “sony.jp”. I checked it and it seemed like a good start.

As a start, I used amass like below to gather some subdomains.

amass enum -passive -d sony.jp -o sony.txt

After getting a list of subdomains, I passed them to httprobe to only keep the alive ones.

However, if you want to get only working subdomains, you can use amass, httprob like this:

amass enum -passive -d sony.jp -o sony.jp ; cat sony.jp | httprobe | tee sony.txt ; rm sony.jp

I started enumerating the list of subdomains for a while and then I noticed one with a lot of functions.

What I mean by “a lot of functions” is it has many user interactions.

I tried to fetch for bugs like csrf , IDOR , sql , and even rce, but I couldn’t find anything of interest.

What about XSS?!

I started searching for parameters and I got a lot of ones but sadly no xss. :’(

I checked the source code in the browser. I started looking for hidden parameters, then I found a parameter named “cs”.

Tip: Never forget to look for hidden parameters in the source code. click view source code and search for “hidden”, “input”, or “var” parameters.

I tried injecting a bunch of XSS payloads in it but nothing worked out. :(

While I was about to give up and look for another subdomain, I hyped myself a little and tried the parameter “Couponcode”

Because there was an option to add a coupon code on the page.

redacted.sony.jp/?Couponcode=hunter”><svg/onload=confirm(document.cookie)>

Unfortunately, no XSS.

But when I added the “cs” parameter, the XSS popped up.

So the final url is :

redacted.sony.jp/?Couponcode=hunter”><svg/onload=confirm(document.cookie)>&cs=

So here’s how it works.

When I put the payload in the “couponcode” parameter the XSS didn’t work out because the payload was filtered, but when I added the cs parameter, a new “<link>” tag was generated in the source code, which had no filter.

<link href=”https://redacted.sony.jp/?Couponcode=hunter"><svg/onload=confirm(document.cookie)>&cs=">

That’s it.

See you in the next writeup.

twitter: https://twitter.com/kassihmouhssine

linkedin : https://www.linkedin.com/in/kassih-mouhssine/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store