Jatin Aesthetic
Jun 2, 2019 · 2 min read

Story of a uri based xss with some simple google dorking

Hey everyone,

This is a old xss bug which I found in a private program on hackerone by doing some google recon. Because it was a private program I will the name the site as www.example.com everywhere.

So lets start,

The program seemed to be quite old but its scope was wide with a bunch of domains.I thought that many people might have already tested the main domain. So I thought of exploring other domains in the list first. During the initial testing I did’nt find anything useful.Then I thought of doing some google dorking using

Site:*.example.com inurl:redirect

and appending various things like intext: ../index, admin , sql , url , redirect etc. After using redirect in inurl parameter I got an interesting endpoint like this


It suddenly took my interest and I started looking for bugs in it. First I tried redirecting it to google.com and it worked. Then I thought of javascript uri parsers which can lead to xss. And added this simple javascript uri in redirect parameter


And now the site took me to the login page as I was not logged in to the site. I logged in and alert popped up. There was also no protection on logout so user can be logged out of his account and then again be sent to this malicious url and when he enters the creds xss executes and the attacker can do whatever he want like phishing, cookie stealing, keylogging, etc. Unfortunately the same endpoint was also on some other domains of that program so they were also vulnerable.

The program responded very fastly and gave a good reward.


If you are lost in a program and dont find anything, always look for other things like google dorking, reading source code for some other endpoints which are not seen in main app and might be many hunters have missed them.


I will add a small list of dorks you can use to find these kind of bugs.

inurl: redirect,url,next,redirect_to,page,site

These can even lead to ssrf if there is not proper sanitization in code.So keep digging on these. You can also try other dorks for finding hidden gems. You can find the latest updated dorks here https://www.exploit-db.com/google-hacking-database . Google dorking is great to find some sensitive endpoints,parameters, always give it a try during your testing :)

I will post some of my more findings here in the upcoming weeks. Till then keep hacking and sharing. This community is great and we should learn from each other and share. #TogetherWeHitHarder



Twitter : https://twitter.com/techyfreakk

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store