So here is how XSS was detected in the Giant Mobile company site-OnePlus. Though I was not the first one to detect and report the vulnerability, this might give you an idea where all vulnerabilities may be present and will help in manual hunting.
- First, you need to login to the oneplus account (https://www.oneplus.com).
2. Then, navigate to Support →Contact Us →Chat with Us.
3. Fill in email-is, Name, Ph no. and issue details and proceed to the chat window.
Or, Alternatively you can directly navigate to the Customer Support Portal using this link to start chat as anonymous user.
4. In the chat window, in text input field, type any one of the following payloads(JS Codes):
<img src=xss onerror=alert(1)>
<img src=x onerror=prompt(document.cookie)>
Whatever we type in the chat window is reflected in the browser which means reflected xss may be present and the first thing one must check is the source code of response page. If the input is not properly filtered, it is very easy to craft a payload for Reflected XSS.
Here is the Video POC.
Thanks for reading, please also SUBSCRIBE to my youTube Channel.