While hunting for reflected XSS, instead of blindly testing random parameters, search engines can be used as a passive reconnaissance tool. Google dorking helps identify specific applications and technologies that historically contain reflection points. In this case, a webmail application powered by IceWarp Server was identified.

DORK — inurl:/webmail/ intext:Powered by IceWrap Server

One of the results exposed a webmail endpoint with a color parameter. The parameter value was reflected in the HTML response.

• The actual target URL has been intentionally hidden to follow responsible disclosure practices.

https://mail.[REDACTED-DOMAIN]/webmail/

• Reflection testing To confirm reflection, a simple test value was added to the color parameter.

?color=yash

• The value yash was observed in the page source, confirming that user input is reflected without proper encoding.
• After confirming reflection, a minimal XSS payload was injected. The payload was URL encoded to ensure proper transmission.

"><svg/onload=alert(1)>

• URL Encoded : %22%3E%3Csvg/onload=alert(1)%3E

https://mail.[REDACTED-DOMAIN]/webmail/?color=%22%3E%3Csvg/onload=alert(1)%3E

• When the URL was opened in the browser, a JavaScript alert popup appeared immediately, confirming reflected XSS.

IMPACT : An attacker can craft a malicious URL and send it to a victim via email or messaging platforms. Once clicked, the payload executes in the victim browser under the webmail origin. This can lead to session hijacking, phishing attacks, or unauthorized actions within the application.