How I Found Multiple XSS in Hidden Legacy Pages

Introduction

The site I am hunting on is a private program so I can’t disclose the urls, I am just going to discuss the method.

Finding the vulnerability

  1. Open https://sub.redacted.com/robots.txt
  2. Found a directory named “web-app”
  3. /web-app/ is blank so I tried guessing random files.
  4. /web-app/dashboard.php redirects to /web-app/logout.php
  5. Then I view-souce and found lots of .js files.
  6. .js files contains URLs and lots of parameters 😎
  7. Manually checked all the URLs and parameters (a lot are not working since they are legacy pages). This is to see if any of the parameter values get reflected in the page.
  8. Finally found 2 reflected XSS vulnerabilities (1 authenticated and 1 unauthenticated).

Report Timeline

July 19 and 21, 2021 — Report Submitted
Sept 1, 2021 — Triaged as P3 and eligible for $500 bounty each

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store