In this article, we will discuss Cross-Site Scripting (XSS) vulnerability, how to find one and present 25 disclosed reports based on this issue.
What is XSS?
XSS stands for Cross-Site Scripting and it is a web-based vulnerability in which an attacker can inject malicious scripts (usually JavaScript) in the application. A common impact of this one is that the attackers can steal sensitive cookies such as session tokens.
Types of XSS
- Stored/Persistent XSS: malicious scripts are stored in the application, for example in a comment section.
- Reflected/Non-persistent XSS: malicious scripts are returned back to the user, for example in a search query.
- DOM-Based/Client-Side XSS: malicious scripts are injected in the Document Object Model, being executed on the client-side and the webserver response isn't modified.
- Self-XSS: the victim is tricked to run malicious scripts on their side, for example in their web developer console.
How to find XSS in a bug bounty program
First, identify all the user inputs in the application, then play with them. Send malicious scripts inside the input, see how the server responds, try to bypass the restrictions such as tag removal, encoding or character blacklisting.
Also, inject some XSS polyglots like this:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ β !>\x3csVg/<sVg/oNloAd=alert()//>\x3eI will provide some links that contain lists with payloads like the one above.
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Polyglots/XSS-Polyglots.txt
https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
Top 25 XSS Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: Stored XSS on https://paypal.com/signin via cache poisoning
Company: PayPal
Bounty: $18,900
#2
Title: XSS in steam react chat client
Company: Valve
Bounty: $7,500
#3
Title: Stored XSS in developer.uber.com
Company: Uber
Bounty: $7,500
#4
Title: Stored XSS on any page in most Uber domains
Company: Uber
Bounty: $6,000
#5
Title: H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing
Company: Shopify
Bounty: $5,000
#6
Title: XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications
Company: Shopify
Bounty: $5,000
#7
Title: Stored XSS in Wiki pages
Company: GitLab
Bounty: $4,500
#8
Title: Persistent XSS in Note objects
Company: GitLab
Bounty: $4,500
#9
Title: Cross-site Scripting (XSS) β Stored in RDoc wiki pages
Company: GitLab
Bounty: $3,500
#10
Title: Blind Stored XSS Against Lahitapiola Employees β Session and Information leakage
Company: LocalTapiola
Bounty: $3,000
#11
Title: Persistent XSS on keybase.io via "payload" field in `/user/sigchain_signature.toffee` template
Company: Keybase
Bounty: $3,000
#12
Title: XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
Company: Shopify
Bounty: $3,000
#13
Title: Reflected XSS in lert.uber.com
Company: Uber
Bounty: $3,000
#14
Title: Stored XSS in Brower `name` field reflected in two pages
Company: New Relic
Bounty: $3,000
#15
Title: XSS via Direct Message deeplinks
Company: Twitter
Bounty: $2,940
#16
Title: Multiple DOMXSS on Amplify Web Player
Company: Twitter
Bounty: $2,520
#17
Title: Cross-site scripting (reflected)
Company: Twitter
Bounty: $2,520
#18
Title: URL Advisor component in KIS products family is vulnerable to Universal XSS
Company: Kaspersky
Bounty: $2,500
#19
Title: IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier
Company: HackerOne
Bounty: $2,500
#20
Title: Stored XSS on activity
Company: Shopify
Bounty: $2,000
#21
Title: XSS while logging using Google
Company: Shopify
Bounty: $1,750
#22
Title: Reflected XSS in *.myshopify.com/account/register
Company: Shopify
Bounty: $1,500
#23
Title: Persistent DOM-based XSS in https://help.twitter.com via localStorage
Company: Twitter
Bounty: $1,120
#24
Title: XSS vulnerable parameter in a location hash
Company: Slack
Bounty: $1,100
#25
Title: XSS on Desktop Client
Company: Keybase
Bounty: $1,000
Bonus: 10 Easy & Simple XSS Reports
#1 Bonus
Title: Stored XSS in community.ubnt.com
Company: Ubiquiti Inc.
Bounty: $500
#2 Bonus
Title: [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/
Company: Grab
Bounty: $200
#3 Bonus
Title: XSS Stored
Company: Coursera
Bounty: None
#4 Bonus
Title: Reflective XSS at olx.ph
Company: OLX
Bounty: None
#5 Bonus
Title: Stored XSS on Zeit.co user profile
Company: ZEIT
Bounty: None
#6 Bonus
Title: Stored XSS on Issue details page
Company: GitLab
Bounty: None
#7 Bonus
Title: Stored XSS in infogram.com via language
Company: Infogram
Bounty: None
#8 Bonus
Title: Stored XSS at https://finance.owox.com/customer/accountList
Company: OWOX Inc.
Bounty: None
#9 Bonus
Title: XSS inside HTML Link Tag
Company: OLX
Bounty: None
#10 Bonus
Title: DOM Based XSS in mycrypto.com
Company: MyCrypto
Bounty: None
Thank you very much for your attention and I wish you good luck in finding as many bugs as possible and get big rewards!