How PayPal helped me to generate XSS

Hi ,

I was on break for a year because of my dad’s health issue :(
But now I’am back :D

This is my first write up on medium.com , its a old finding but may help you ;)

Ok. So one day I was doing some work with my friend and visited PayPal to get a Pay with PayPal button.

I logged in to PayPal and moved to tools section and clicked on PayPal buttons. After clicking PayPal redirected me to https://financing.paypal.com/ppfinportal/adGenerator

Here we can create buttons.

While generating a button I looked on the URL bar and got excited.

The URL was some thing like this https://financing.paypal.com/ppfinportal/adGenerator/emailCopy?size=320x200

The banner size was in url .So i decided to test it.

I’ve changed the size to LOL

and got surprised , the width size in embed code changed to LOL

Now what :P
I’ve changed LOL string to a XSS payload and the size became “><img src=x onerror=prompt(1)>

Now the size in embed code became “><img src=x onerror=prompt(1)> . Which means if you’ll use the infected embed code you’ll be greeted by XSS popup :P

Look at the embed code carefully :P

So this accidental XSS gave me 250$ :D