Sep 4, 2020
Reflected XSS
Hi, I am Vivek. I am a Learner and I have very basic knowledge regarding Bug Bounty.
This is my first write-up on Bug Bounty.
Finding: Reflected XSS.
What is Reflected XSS?
A reflected XSS (or also called a non-persistent XSS attack) happens when a malicious script is reflected off to another website through the victim’s browser. It’s often injected through the query string. The XSS vulnerability can then just be exploited by making a user click on a link.
There may be many more definitions for the same.
When I was just scrolling through the website say https://example.com
Then I found some interesting URL which is https://example.com/../../../html_content&pageID=<something>
As you can see in the above URL the most interesting parameter seems to be the pageID. Initially what comes to my mind was SQL injection and I started testing it for various SQL injection payloads. But unfortunately, I was only able to view the stack trace and error message only which was:
Error opening /../../../temp_static.jsp.
The source of this error is:
javax.servlet.ServletException: requested URL string is null
at weblogic.servlet.jsp.PageContextImpl.getRD(PageContextImpl.java:115)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:163)
at jsp_servlet._templatestatic.__template_static._jspService(__template_static.javaetc,,,
etc...
Now, the next thing I did was reviewing the source code where I found the greatest hint for a possible XSS attack which was, anything that any input which I gave into the pageID= parameter was getting reflected in the source code without getting encoded which was somehow like:
<body onload=”javascript:getData(‘<reflected input>’,’ ’);”/>
It was now very much clear which payload must be used
Payload used was: ’,’ ’);”/> <script>alert(document.domain)</script>
Now when I copied and paste the edited link on a new tab and BOOOOM I was able to execute the javascript payload.
It was a very easy finding and I hope you enjoyed reading this post.
Thank you.
Have a Great Day :)
