Updated: Apr 22
If you are manually testing XSS in a very busy program, and there's a common parameter "q=" and that too in one of the TLDs, Will you be giving your time to test that parameter or you'll try to find some unique parameters by enumerating js and give your time to those parameters instead? In today's blog, I'll write about how I nearly missed a "NO FANCY PAYLOAD" XSS in the most common and protected parameter in today's time.
I picked a target and started subdomain discovery, while I was gathering the subdomains, I used a few dorks and I found few directory listings in few subdomains. The dork was
After my subdomain enumeration was complete, I Picked up a random subdomain created an account there, and was intercepted the whole time, Saw the website was continuously fetching user data from another subdomain of the same target.
I changed the Origin: header to my website and saw that the server was accepting any arbitrary domain in the Origin: header.
To double confirm the vulnerability I tried to exploit it and it was exploitable too.
Again while my testing, I use vulnerability scanners parallelly for some surprises, It's not every time you get a bug in scanners but we should always try it, I got an XMLRPC enabled file URL which is out of scope in most of the programs, but at least it gave me something
No payload gave me a popup hit, then tried few more payloads and still didn't get any success till now.
It was then time when I told myself that I am not going to get XSS in this target, Then saw a few parameters where I didn't even test any single payload they were
1) q= 2) utm_source= 3) utm_medium= 4) campaign=
picked the first parameter and found myself too lazy to pick up the list of payloads again and test them one by one, So I decided to give only one try and tried an escaped payload
So lucky I could get,
One thing that I learned was Never Miss any parameter just because others are protected so that one would also be.
Thank you guys for your time, I hope you find this informative.
I'll soon post a write-up on my Bounty Report!
Stay Tuned and Peace!