My First Reflected XSS Bug Bounty — Google Dork — $xxx
2022-2-16 16:3:31 Author: infosecwriteups.com(查看原文) 阅读量:1504 收藏

Proviesec

Today I will share a Reflected XSS vulnerability that was reported by me, to a security team as part of their bug bounty program at Hackerone. I became aware of this XSS flaw through a good Google Dork of mine.

Cross-site scripting (XSS) is a web application vulnerability that allows an attacker to inject code (usually HTML or JavaScript) into the content of an external website. When the victim views the infected page on the website, the injected code will be executed in the victim’s browser. As a result, the attacker bypassed the browser’s same-origin policy and was able to steal private information from victims.

Google Dorking is basically a search that uses advanced search query to find information that are not easily available on the websites. They are search strings which you enter into the Google search to find certain vulnerabilities.

Google Dorking is actually quite simple. You just need to know some basics about dorks that can give you the information you need.

intitle:"index of" 
intext:"Index of /" +.htaccess
filetype:log
site:medium.com

Here can you find more of them: https://github.com/Proviesec/google-dorks

And the Google Hacking Database contains a lot of google dorks that can find vulnerabilities or signs of a CVE: https://www.exploit-db.com/google-hacking-database

  1. I have search on google with this dork: site:redacted.com inurl:quiz inurl:&
  2. Then I found only 2 results in the google search and took a deeper look at the first result.

Next steps:

  1. Go to https://www.redacted.com/lp/ecommerce/commercial-quiz/thanks.html?ques-01=false&ques-02=false&ques-03=true&ques-04=false&ques-05=false&ques-06=true&ques-07=false&ques-08=false&ques-09=false&ques-10=false&score=99
  2. change the parameter score to 99testme%3CIMG%20%22%22%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E%22\%3E
  3. An alert box with the value of document.cookie pops.
  4. Then I tried to combine the bug with other bugs. But after 2 days I only reported the XSS bug and got a triple digit bounty for this.

Here are the short Hackeorne report:

Timeline:

Submitted: 18 Jul, 2021

Accepted: 20 Jul, 2021

Triaged: 23 Jul, 2021

Resolved: 25 Jul, 2021

Closed: 08 Nov, 2021

How can you find XSS?

Tools:

Similar reports:

Tip: “Old procedures, many reports, big scops” Don’t let this bother you. Try to find more and more parameters and test them all.

Do your research well before testing XSS. Don’t shoot the payloads on every parameter. Think first, then test the parameters. For example, see if the inputs are reflected or not. And check each parameter before using it to apply payloads.

Here is my Hackerone profile: https://hackerone.com/proviesec

Please feel free to ask me and suggest changes I should consider next time. Thanks for reading anyway 👋.

Do you need antoher good article? -> https://infosecwriteups.com/broken-link-hijacking-404-google-play-store-xxx-bounty-96e79a8dfd71


文章来源: https://infosecwriteups.com/my-first-reflected-xss-bug-bounty-google-dork-xxx-92ac1180e0d0?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh