Skip to main content

Posts

Featured

Story of a Parameter Specific XSS!

Hello Infosec folks!
                    So I am going to start writing posts related to my bug hunting findings and share it with the community starting with this post.
So, this post is about a Reflected XSS I found in a Private Program which has been previously tested many times.This XSS was present on nearly every page of the domain (let's call this private-bounty.com) but wasn't found by anyone before.
When I was going through the Application, I found an endpoint which had following in URL: https://www.private-bounty.com/Deactivate?view=aaa&utm_content=foo&utm_medium=bar&utm_source=baz
I checked the source code to see if the parameter "view" was reflected somewhere in the page and it was found that the whole URL was reflected in Javascript context(inside Script tags) but except for the parameter "view" and its value.




It got reflected as -  https://www.private-bounty.com/Deactivate?utm_content=foo&utm_medium=bar&utm_source=baz
Then I…

Latest posts