My first valid xss(@Hackerone)

Hey today I will share my first ever valid xss bug which was a reflected xss on a public program on hackerone.

So lets start, I was very new to hackerone and I took a random program to start and I started to do some recon by finding the subdomains and different endpoints.When I was looking at different pages inside the website and then I found an endpoint like this:

https://example.com/abc/]

I thought there is something fishy here and I opened that page but the page loaded normally.Then I looked at the source of the page and at last of the source I founded a commented out string containing the path after the domain.

So I tried entering something else in the url path and it displayed as it is in that comment.So I tried closing that comment with a closing comment tag

— —><test> and I was successful in closing that comment tag and was successful in inserting other tags so I insert a script tag after that so the final payload become

https://example.com/abc/]--><script>alert(1)</script>

and boom! xss executed!

So in this way I was able to execute xss on that page.Later I realised that this was on every page of that domain and every path of that particular domain had a commented out string containing whatever in the url path was, so xss was executing on every page of that domain.

Reported : 26/05/2018

Bounty : $100

Thanks for reading! I will post my more interesting findings here.