I saw a couple of other write-ups and blog posts about “XSS in OLX” but when I got to read them, they end up being either stored XSS or in some other website that belongs within the scope of OLX…
I figured, “hey if they are good enough for a write-up, so it’s my bug.” xD
Original report: https://hackerone.com/reports/477771
I was looking for bugs on another website when I came across this.
It is a reflected Cross Site Scripting (XSS) vulnerability in the parameter search[user_id] located at the main page of Olx.pt
If you navigate to Olx.pt
and choose a random item, open that item page and click
“outros anúncios” as in “other ads”
you will get redirected to:
Within that page, the parameter search[user_id] was vulnerable to XSS.
It was across all the domains, here is an example of it in Poland’s domain:
I reported it and got added to the OLX’s Hall of Fame:
Kudos to me!! xD