Vipin Chaudhary
Sep 23, 2017 · 2 min read

How i bypassed Practo’s firewall and triggered a XSS.

One night after submitting few bug reports, i was browsing practo.com and then i thought of looking for vulnerabilities on it.

After some time i came to know that they have firewall blocking all the XSS payloads so i had to try something advance, but somehow i managed to get HTML Injection on their main domain.

Image for post
Image for post

Then i started digging deep to get a XSS, but Firewall :( then i thought of going back to brutelogic’s blog and see if it’s possible to bypass it or not.

Most of the JS event handlers like onmouseover, onload, onclick was blocked by firewall but after experimenting a lot oncopy worked and triggered a XSS.

Image for post
Image for post

The payload which worked was :

<vipin oncopy = prompt(document.domain)>

I reported this issue to Practo and they fixed it within few hours.

It was when i just started into security research/bug bounty, it was a great learning experience for me.

So guys when you are stuck in such situations just keep on digging and look out for help from other researchers and their blogs it will help for sure.

I hope it was helpful for you too.

Thanks for reading, Have a great day.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Vipin Chaudhary

Written by

Security Researcher | Bug Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Vipin Chaudhary

Written by

Security Researcher | Bug Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store