$150 XSS at Error Page of Respository Code

Dec 7, 2019 · 1 min read

This article is about a security bug/issue i have found at private program on Hackerone(H1).

As the title says the bug was Reflected XSS.

The parameter which was vulnerable to XSS was not at the website of the program but in the code which was at the GitHub respository of the program.

I searched at GitHub by the name of private program and found they have few codes written in different programming languages. Out of those i look for bug at the PHP code. So ,i look for $_GET[’someParameter’] which should take value of “someParameter” like this

localhost/ThePHPcode/thePage.php? someParameter=XSS_PayLoad

And successfully was able to find one of the parameter in the one of the code file which was a default error page as mentioned above i.e. $_GET[’someParameter’]

Now , i inserted the payload and successfully able to pop up the alert box with document.cookie.

So, i report them by explaining that if some website use their code to integrate the functionality which their code provide then that website becomes vulnerable to XSS because that website have their vulnerable code.

This report was submitted more than a year ago from today’s date. So, i got surprise of $150 after a year.

Feedback and comments are welcomed.

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade