How I got a $2000 bounty with RXSS

Hi fellow hunters, in this write-up, I will explain how I found a reflected cross-site scripting bug and showed multiple attack scenarios.

The target I was testing was an old public program, I will refer to it as throughout this blog so let’s get started.

Finding Reflected XSS

I found a unique subdomain by performing Vertical and Horizontal subdomain enumeration. Have created my own bash script for subdomain enumeration which is based on the above methodology.

Check out this blog for subdomain enumeration.

The unique subdomain was’ when I tried to visit this subdomain it was redirecting me to the main domain so I decided to fuzz the directories with ffuf

After Fuzzing got an endpoint named launcher on which there was a JS file with numerous hidden endpoints.

In JS file I found an Endpoint named LinkPsn on which I did recursive fuzzing and got one more endpoint named conflict, there was a page containing a continue button where I performed parameter fuzzing and find out the successRedirect Parameter which was vulnerable after clicking on continue button alert pops up.

I immediately report this and my report was triaged but here is a twist!

staff member change the severity to low and give a $500 bounty I was shocked because on Low bug they were offering $500 & on Medium they were offering $2000.

Staff Members Response

This is a reflected XSS, this means that the only way to achieve something out of it is through phishing or something of the sorts. For this reason we decided to decrease the severity of this issue.

The Reflected XSS comes under the Severity Medium (4 ~ 6.9)

So I decided to show the impact by creating multiple use cases with the help of my friend Saad Ahmed

There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet, or another message. The attack could be targeted directly against a known user or could be an indiscriminate attack against any users of the application

Below are the different cases in which I have tried my best to show the impact of this Reflected XSS. There is much more we can do using the reflected like controlling the victim browser by sending him the beef hooked url using the reflected XSS

Case 1 : DEFACE



Case 2 : Stealing Victim Password Sending to the attacker server

Payload :

Stealing Password
Sending Password To Attackers Server

Case 3 : Download Malware On Victim Computer

Payload :

Malware on Victims System

Case 4 : Controlled DOM

Payload :

Control on DOM
Before Exploitation
After Exploitation

Final Note

Thank you very much for your attention and I wish you good luck in finding as many bugs as possible and getting big rewards!





Information Security Consultant | Red Teamer | Bug Bounty Hunter | Penetration Tester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Information Security Consultant | Red Teamer | Bug Bounty Hunter | Penetration Tester