This article is about a security bug/issue i have found at private program on Hackerone(H1).
As the title says the bug was Reflected XSS.
The parameter which was vulnerable to XSS was not at the website of the program but in the code which was at the GitHub respository of the program.
I searched at GitHub by the name of private program and found they have few codes written in different programming languages. Out of those i look for bug at the PHP code. So ,i look for $_GET[’someParameter’] which should take value of “someParameter” like this
localhost/ThePHPcode/thePage.php? someParameter=XSS_PayLoad
And successfully was able to find one of the parameter in the one of the code file which was a default error page as mentioned above i.e. $_GET[’someParameter’]
Now , i inserted the payload and successfully able to pop up the alert box with document.cookie.
So, i report them by explaining that if some website use their code to integrate the functionality which their code provide then that website becomes vulnerable to XSS because that website have their vulnerable code.
This report was submitted more than a year ago from today’s date. So, i got surprise of $150 after a year.
