My First Bug: How I Was Able to Bypass the WAF and Uncover a Reflected XSS

Fares shares their experience and the process they took to uncover a reflected XSS vulnerability within a public bug bounty program.
The first step was to identify subdomains through the use of tools like Subfinder and Assetfinder, which compile lists of subdomains that can then be funneled into live subdomains.
Httpx helps to pinpoint live subdomains that can be investigated further for vulnerabilities.
They discovered an endpoint that allowed fuzzing of parameters, and upon adding ak=FUZZ to the endpoint, the response reflected the “ak” parameter, leading to further investigation.
Attempts to inject JavaScript were unfruitful, prompting Fares to investigate further the reason for this redirect to an error page.
They observed that certain special characters could be injected into the payload without triggering a redirect, and further observed that while the server removed the ”=” symbol, it did not affect the cookie, as cookies can also be accessed without using the ”=” symbol.
The discovery led to the ability to craft a payload that would reflect the desired code (<=script>=alert("hacked")</script>=) without triggering the error page.

Fast Feed