My first valid xss(@Hackerone)

Jatin Aesthetic
Aug 25, 2018 · 2 min read

Hey today I will share my first ever valid xss bug which was a reflected xss on a public program on hackerone.

So lets start, I was very new to hackerone and I took a random program to start and I started to do some recon by finding the subdomains and different endpoints.When I was looking at different pages inside the website and then I found an endpoint like this:

https://example.com/abc/]

I thought there is something fishy here and I opened that page but the page loaded normally.Then I looked at the source of the page and at last of the source I founded a commented out string containing the path after the domain.

Image for post
Image for post

So I tried entering something else in the url path and it displayed as it is in that comment.So I tried closing that comment with a closing comment tag

— —><test> and I was successful in closing that comment tag and was successful in inserting other tags so I insert a script tag after that so the final payload become

https://example.com/abc/]--><script>alert(1)</script>

and boom! xss executed!

So in this way I was able to execute xss on that page.Later I realised that this was on every page of that domain and every path of that particular domain had a commented out string containing whatever in the url path was, so xss was executing on every page of that domain.

Reported : 26/05/2018

Bounty : $100

Thanks for reading! I will post my more interesting findings here.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store