DOM-Based XSS | Bug Bounty Writeup

Sharing is caring!

Bug Bounty Program : Private Program
Target website             : https://hnpexample.com
Vulnerability-Type     : DOM-Based XSS
Severity                         : HNP-Point ==> 2 (From HNP Range:0-10)
Reward                          : HOF | 100$

Introduction:

This bug was a part of a private program and details of founded bug is explained below. However disclosing the name of the domain is restricted 🙂

 

Procedure to find the bug:

After visiting website, I found a search page where I can search anything for shopping purpose. After searching a malicious payload within search bar something interesting was found in page which was stored in JavaScript code.

Payload search item: ‘”>victor

 

And the reflection which I got in source page is below: –

DOM-Based XSS 1- bug bounty writeup - hacknpentest

 

From above page we can see greater than (>) and double quote (“) is filtered but single quote (‘) was not. If we look carefully, the close quote which was used here was also single quote.

Now we can close the function and add some extra JavaScript payload.

The next move was to manage the function. A variable was used to store information within curly braces ({}).

So, I just added following payload.

Payload:    victor’,count=’1′};

And the output came from source page is shown below:

DOM-Based XSS 2- bug bounty writeup - hacknpentest

Now we can see above our both parameter keyword and count are now managed in searchDL function, as we can see that count variable is not managed, we need to manage quote() and comma(,).

From here we can add any JavaScript code after semicolon (;) and after adding a JavaScript payload next target to manage below count parameter.

Now I just added a payload after my previous payload. This time I also add some extra function keyword to manage count parameter.

 

Final-Payload:  victor’,count: ‘1’};alert(document.cookie);var j ={keyword: ‘1

And the source page returned the following JavaScript code:

DOM-Based XSS 3 - bug bounty writeup - hacknpentest

And from there I got an alert box.

DOM-Based XSS 4 - bug bounty writeup - hacknpentest

The stored cookie from the browser is popped-up.

Share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *