Story about my first bug bounty

Sudhanshu Rajbhar
Nov 30, 2018 · 4 min read

2 Dom Based XSS in

Hey Everyoneee,

I am Sudhanshu Rajbhar, today I am going to share the story of my two dom based xss which I found in Alibaba’s Bug Bounty Programme.

I just came to know about Alibaba’s Bug Bounty Programme and also that they have a large scope.So I decided that I will take a look at it.It was the first week of August.After two days my maths exam was there but I was busy with this.

After reading their policy and checking scope.I went on youtube and was searching for the bugs which were already found in Alibaba websites to get an idea about my target, most of the pocs were about xss.After watching the pocs I picked out some domains randomly that included, and some more.

Here we go..

I started my recon by first checking the available subdomains for that purpose I went to and started going through them one by one. Didn’t get any interesting subdomains at first so I started looking for subdomains here and found this subdomain, samsung ahh let’s see what’s there.I opened that subdomain and got this

Image for post
Image for post

What most people will do here? they will just ignore it.I was also going to do the same thing at that time then I remember about an article which I read that if you encounter any page like this google the site you may find a endpoint which is accessible.

So that’s what I did I used this simple dork and the results really suprised me

Image for post
Image for post

I opened this url and started testing the parameters , the title parameter was reflecting the input so for checking if there is any filter or something I used <b></b> and found out that there was no filter.

Image for post
Image for post

I used the payload <script>alert(1)</script> but it didn’t work then I tried <img src=x onerror=alert(‘XSS’)> and boooom yeah the I got the xss popup.

Image for post
Image for post

This was my first bug in a bounty programme , so I was really excited and I was even screaming at that time.

I submitted this on and their response was really fast, I opened the report and saw that I was rewarded with $50.

This time I was screaming a little bit louder than before.So here’s the end of the story of my first bugbounty.Soon after that I was rewarded with $100 on hackerone on vhx.

Now it’s time for the second xss

The 2nd xss I found this month only, in the same domain.For fixing the previous xss they removed that endpoint and if I try to open that endpoint now I will get a 404 error not found.

I just thought of using a tool like dirbuster or gobuster on this subdomain so that I can find a new endpoint.I tried dirbuster and gobuster but both of them were not working here they were giving some errors on this subdomain.So I moved on.

After some days I got to know about dirsearch,so I thought of giving it a try and it was working perfectly , from the result I got one more endpoint /test/

I opened and from here I found this same url just like before, I used the payload and yeah you guess it right the xss popup was there.

Image for post
Image for post

Again this time also $50 bounty from Alibaba.It was really simple.

So guys don’t forget to use directory bruteforce tools on the subdomains of your target you might get lucky just like me.

Thanks a lot for reading it till the end. I hope you will find this article interesting. Sya

Video POC

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store