My Story With XSS
My Story With XSS
As you know every bugbounty hunter has a story with xss and i have one too
Before starting this write up i just want to mention i started my bug bounty journey 2 months ago and they were full of adventures (btw i mean N/A and informatives and dupes ), anyways i learned bunch of stuff, one of my them is that one (it was a dupe too)
without further ado let’s talk about how i hunted this XSS
its all started when i picked a VDP from hackerone list and i start my recon where i started with creating an account and i watched the whole flow thru burp cause i love understanding the application logic and how it handles every step.
- Some Findings on the signup point :
the application was sending after an user finishes filling the signup form a request to /v3/users contains a json body that has bunch of informations about the user and there was one parameter that caught my eyes [afteractivationurl] that will lead you to the main page after you click that url sent to your email .
so i first followed the application process as a normal user (no injections no changes) .
Then i noticed one thing about that process which was a redirection page after the activation and the juicy thing is our vulnerable page is rendering the path into html after url decoding it.
So i immediately went and created a new account and this time i change the path given by the client with my favorite simple url encoded payload
‘<img src=”” onerror=”javascript:alert(document.cookie)”>’
then when i went back to my email inbox i found the malicious link i sent
i clicked it and i had the beautiful pop up contains all the user cookie cause there was no httponly on setcookie
Sadly i got a Dupe for this one but it helped me to get other valide bugs and get bounty cause this one made me understand that every step made by a web application maybe vulnerable you just need to dig deeper to find it