OLX reflected XSS

OLX Bug Bounty: Reflected XSS | by Akbar Kustirama - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original OLX Bug Bounty: Reflected XSS Who would have thought that there was even a bug that we could find on page 404 Not Found right? Akbar Kustirama Follow ~1 min read · March 13, 2019 (Updated: December 8, 2021) · Free: Yes This time I wrote up when I found Reflected XSS on one of the domains in-scope by OLX, sharjah.dubizzle.com . Step to Reproduce Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert(1337) codelatte="/2018/10/10/commercial-land-for-sale-in-al-sajja-12/ (you can copy and paste). XSS is reflected inside HTML Link tag Press ALT + SHIFT + X in keyboard to trigger XSS payload. Alert will showing up. After the bug was fixed, my name entered on the Security Hall of Fame 😎 Reference https://hackerone.com/reports/504984 (Original Report). https://portswigger.net/blog/xss-in-hidden-input-fields (XSS in hidden input fields). PS: Sorry, maybe there are some irreverent words. It's semi-google-translate. Hopefully you understand that xD #security #xs #bug-bounty #olx #bugs Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).