From Recon to DOM based XSS

From Recon to DOM-Based XSS | by Abdelfattah Ibrahim - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original From Recon to DOM-Based XSS I was doing some google dorking to find out if there's any interesting files or parameters in the bug bounty program scope so i've tried… Abdelfattah Ibrahim Follow ~1 min read · November 11, 2017 (Updated: June 1, 2018) · Free: Yes I was doing some google dorking to find out if there's any interesting files or parameters in the bug bounty program scope so i've tried alot of dorks and it was the turn of this one " site:*.REDACTED.com inurl:file " and then i found this endpoint : https://REDACTED.com/files/file.htm and there was some listed articles in the page so i navigated to an article and the url changed to be like this: https://REDACTED.com/files/file.htm#article 1.html after about 5 minutes i've figured out that any thing that you'll put after "#" it will reflect in an IFRAME html tag so i tried to open an external domain: https://REDACTED.com/files/file.htm#http ://evil.com and guess what? and then tried to inject XSS payload "javascript:alert(1)" and it worked! https://REDACTED.com/files/file.htm#javascript :alert(1) I hope you guys like the writeup it's pretty simple as you see regards, Abdelfattah. #security #bug-bounty #infosec #information-security #hacking Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).