XSS

Top 25 XSS Bug Bounty Reports

Cristian Cornea

Jan 10, 2020·4 min read

In this article, we will discuss Cross-Site Scripting (XSS) vulnerability, how to find one and present 25 disclosed reports based on this issue.

What is XSS?

XSS stands for Cross-Site Scripting and it is a web-based vulnerability in which an attacker can inject malicious scripts (usually JavaScript) in the application. A common impact of this one is that the attackers can steal sensitive cookies such as session tokens.

Types of XSSStored/Persistent XSS: malicious scripts are stored in the application, for example in a comment section.Reflected/Non-persistent XSS: malicious scripts are returned back to the user, for example in a search query.DOM-Based/Client-Side XSS: malicious scripts are injected in the Document Object Model, being executed on the client-side and the webserver response isn’t modified.Self-XSS: the victim is tricked to run malicious scripts on their side, for example in their web developer console.How to find XSS in a bug bounty program

First, identify all the user inputs in the application, then play with them. Send malicious scripts inside the input, see how the server responds, try to bypass the restrictions such as tag removal, encoding or character blacklisting.

Also, inject some XSS polyglots like this:

jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e

I will provide some links that contain lists with payloads like the one above.

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Polyglots/XSS-Polyglots.txt

https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626

https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

Top 25 XSS Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: Stored XSS on https://paypal.com/signin via cache poisoning

Company: PayPal

Bounty: $18,900

Link: https://hackerone.com/reports/488147

#2

Title: XSS in steam react chat client

Company: Valve

Bounty: $7,500

Link: https://hackerone.com/reports/409850

#3

Title: Stored XSS in developer.uber.com

Company: Uber

Bounty: $7,500

Link: https://hackerone.com/reports/131450

#4

Title: Stored XSS on any page in most Uber domains

Company: Uber

Bounty: $6,000

Link: https://hackerone.com/reports/217739

#5

Title: H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing

Company: Shopify

Bounty: $5,000

Link: https://hackerone.com/reports/422043

#6

Title: XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications

Company: Shopify

Bounty: $5,000

Link: https://hackerone.com/reports/232174

#7

Title: Stored XSS in Wiki pages

Company: GitLab

Bounty: $4,500

Link: https://hackerone.com/reports/526325

#8

Title: Persistent XSS in Note objects

Company: GitLab

Bounty: $4,500

Link: https://hackerone.com/reports/508184

#9

Title: Cross-site Scripting (XSS) — Stored in RDoc wiki pages

Company: GitLab

Bounty: $3,500

Link: https://hackerone.com/reports/662287

#10

Title: Blind Stored XSS Against Lahitapiola Employees — Session and Information leakage

Company: LocalTapiola

Bounty: $3,000

Link: https://hackerone.com/reports/159498

#11

Title: Persistent XSS on keybase.io via “payload” field in `/user/sigchain_signature.toffee` template

Company: Keybase

Bounty: $3,000

Link: https://hackerone.com/reports/245296

#12

Title: XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on “/:id/digital_wallets/dialog”

Company: Shopify

Bounty: $3,000

Link: https://hackerone.com/reports/231053

#13

Title: Reflected XSS in lert.uber.com

Company: Uber

Bounty: $3,000

Link: https://hackerone.com/reports/191810

#14

Title: Stored XSS in Brower `name` field reflected in two pages

Company: New Relic

Bounty: $3,000

Link: https://hackerone.com/reports/348076

#15

Title: XSS via Direct Message deeplinks

Company: Twitter

Bounty: $2,940

Link: https://hackerone.com/reports/341908

#16

Title: Multiple DOMXSS on Amplify Web Player

Company: Twitter

Bounty: $2,520

Link: https://hackerone.com/reports/88719

#17

Title: Cross-site scripting (reflected)

Company: Twitter

Bounty: $2,520

Link: https://hackerone.com/reports/176754

#18

Title: URL Advisor component in KIS products family is vulnerable to Universal XSS

Company: Kaspersky

Bounty: $2,500

Link: https://hackerone.com/reports/463915

#19

Title: IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier

Company: HackerOne

Bounty: $2,500

Link: https://hackerone.com/reports/449351

#20

Title: Stored XSS on activity

Company: Shopify

Bounty: $2,000

Link: https://hackerone.com/reports/391390

#21

Title: XSS while logging using Google

Company: Shopify

Bounty: $1,750

Link: https://hackerone.com/reports/691611

#22

Title: Reflected XSS in *.myshopify.com/account/register

Company: Shopify

Bounty: $1,500

Link: https://hackerone.com/reports/470206

#23

Title: Persistent DOM-based XSS in https://help.twitter.com via localStorage

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/297968

#24