- Published on
XSS is super common and this is a classic phishing bug #bugbounty #cybersecurity #techtok #hackerone
XSS is super common and this is a classic phishing bug #bugbounty #cybersecurity #techtok #hackerone
Site scripting is one of the most common vulnerabilities on the internet, and I'm going to walk you through an example of DuckDuckGo share that was found by a security researcher and reported to HackerOne.
Now, imagine you have a URL for DuckDuckGo and that URL has a parameter norW
with a value Kyle
. Parameters have values that are often used in the construction of a website. You can imagine something like this:
Hi Kyle
The code for that would look like this. Cross-site scripting (XSS) can happen when that parameter value controlled by me is not prevented from putting code on the web page.
If we go back to the report, you can see there's a proof of concept with a URL and a norW
parameter that includes some code instead of my name. Now you see the original HTML block with my name and the new HTML block with the cross-site scripting payload.
The code is complete, and the payload runs. Running this payload, you'd see this pop-up. The payout wasn't disclosed, but for reflected XSS like this, it's probably $ 250 to $ 500.
Keywords
- XSS
- vulnerabilities
- DuckDuckGo
- HackerOne
- parameters
- payload
- reflected XSS
FAQ
Q1: What is XSS?
A1: XSS (Cross-Site Scripting) is a type of vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Q2: How does XSS work?
A2: XSS works by inserting malicious code into web pages through input fields, URLs, or other user-controlled parameters that are not correctly sanitized.
Q3: What is a reflected XSS attack?
A3: Reflected XSS is a type of XSS attack where the malicious script is reflected off a web server, such as in an error message, search result, or any other response that includes some or all input sent to the server as part of the request.
Q4: What are the typical payouts for finding XSS vulnerabilities?
A4: For reflected XSS vulnerabilities, the payouts typically range from $ 250 to $ 500, depending on the severity and the impact of the vulnerability.