Hey today I will share my first ever valid xss bug which was a reflected xss on a public program on hackerone.
So lets start, I was very new to hackerone and I took a random program to start and I started to do some recon by finding the subdomains and different endpoints.When I was looking at different pages inside the website and then I found an endpoint like this:
I thought there is something fishy here and I opened that page but the page loaded normally.Then I looked at the source of the page and at last of the source I founded a commented out string containing the path after the domain.
So I tried entering something else in the url path and it displayed as it is in that comment.So I tried closing that comment with a closing comment tag
— —><test> and I was successful in closing that comment tag and was successful in inserting other tags so I insert a script tag after that so the final payload become
and boom! xss executed!
So in this way I was able to execute xss on that page.Later I realised that this was on every page of that domain and every path of that particular domain had a commented out string containing whatever in the url path was, so xss was executing on every page of that domain.
Reported : 26/05/2018
Bounty : $100
Thanks for reading! I will post my more interesting findings here.