XSS
XssTop 25 XSS Bug Bounty Reports
Cristian Cornea
Jan 10, 2020·4 min read
In this article, we will discuss Cross-Site Scripting (XSS) vulnerability, how to find one and present 25 disclosed reports based on this issue.
What is XSS?
XSS stands for Cross-Site Scripting and it is a web-based vulnerability in which an attacker can inject malicious scripts (usually JavaScript) in the application. A common impact of this one is that the attackers can steal sensitive cookies such as session tokens.
Types of XSSStored/Persistent XSS: malicious scripts are stored in the application, for example in a comment section.Reflected/Non-persistent XSS: malicious scripts are returned back to the user, for example in a search query.DOM-Based/Client-Side XSS: malicious scripts are injected in the Document Object Model, being executed on the client-side and the webserver response isn’t modified.Self-XSS: the victim is tricked to run malicious scripts on their side, for example in their web developer console.How to find XSS in a bug bounty program
First, identify all the user inputs in the application, then play with them. Send malicious scripts inside the input, see how the server responds, try to bypass the restrictions such as tag removal, encoding or character blacklisting.
Also, inject some XSS polyglots like this:
jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e
I will provide some links that contain lists with payloads like the one above.
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Polyglots/XSS-Polyglots.txt
https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
Top 25 XSS Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: Stored XSS on https://paypal.com/signin via cache poisoning
Company: PayPal
Bounty: $18,900
Link: https://hackerone.com/reports/488147
#2
Title: XSS in steam react chat client
Company: Valve
Bounty: $7,500
Link: https://hackerone.com/reports/409850
#3
Title: Stored XSS in developer.uber.com
Company: Uber
Bounty: $7,500
Link: https://hackerone.com/reports/131450
#4
Title: Stored XSS on any page in most Uber domains
Company: Uber
Bounty: $6,000
Link: https://hackerone.com/reports/217739
#5
Title: H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing
Company: Shopify
Bounty: $5,000
Link: https://hackerone.com/reports/422043
#6
Title: XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications
Company: Shopify
Bounty: $5,000
Link: https://hackerone.com/reports/232174
#7
Title: Stored XSS in Wiki pages
Company: GitLab
Bounty: $4,500
Link: https://hackerone.com/reports/526325
#8
Title: Persistent XSS in Note objects
Company: GitLab
Bounty: $4,500
Link: https://hackerone.com/reports/508184
#9
Title: Cross-site Scripting (XSS) — Stored in RDoc wiki pages
Company: GitLab
Bounty: $3,500
Link: https://hackerone.com/reports/662287
#10
Title: Blind Stored XSS Against Lahitapiola Employees — Session and Information leakage
Company: LocalTapiola
Bounty: $3,000
Link: https://hackerone.com/reports/159498
#11
Title: Persistent XSS on keybase.io via “payload” field in `/user/sigchain_signature.toffee` template
Company: Keybase
Bounty: $3,000
Link: https://hackerone.com/reports/245296
#12
Title: XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on “/:id/digital_wallets/dialog”
Company: Shopify
Bounty: $3,000
Link: https://hackerone.com/reports/231053
#13
Title: Reflected XSS in lert.uber.com
Company: Uber
Bounty: $3,000
Link: https://hackerone.com/reports/191810
#14
Title: Stored XSS in Brower `name` field reflected in two pages
Company: New Relic
Bounty: $3,000
Link: https://hackerone.com/reports/348076
#15
Title: XSS via Direct Message deeplinks
Company: Twitter
Bounty: $2,940
Link: https://hackerone.com/reports/341908
#16
Title: Multiple DOMXSS on Amplify Web Player
Company: Twitter
Bounty: $2,520
Link: https://hackerone.com/reports/88719
#17
Title: Cross-site scripting (reflected)
Company: Twitter
Bounty: $2,520
Link: https://hackerone.com/reports/176754
#18
Title: URL Advisor component in KIS products family is vulnerable to Universal XSS
Company: Kaspersky
Bounty: $2,500
Link: https://hackerone.com/reports/463915
#19
Title: IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier
Company: HackerOne
Bounty: $2,500
Link: https://hackerone.com/reports/449351
#20
Title: Stored XSS on activity
Company: Shopify
Bounty: $2,000
Link: https://hackerone.com/reports/391390
#21
Title: XSS while logging using Google
Company: Shopify
Bounty: $1,750
Link: https://hackerone.com/reports/691611
#22
Title: Reflected XSS in *.myshopify.com/account/register
Company: Shopify
Bounty: $1,500
Link: https://hackerone.com/reports/470206
#23
Title: Persistent DOM-based XSS in https://help.twitter.com via localStorage
Company: Twitter
Bounty: $1,120
Link: https://hackerone.com/reports/297968
#24