🔲How I Landed My First Reflected XSS in a Popular VDP!

بِسْمِ اللَّـهِ الرَّحْمَٰنِ الرَّحِيمِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَىٰ الْمَبْعُوثِ رَحْمَةً لِلْعَالَمِينَ ﷺ

Hello mates, This is my first write-up about the first Reflected XSS (RXX) I discovered in a popular VDP program. Excited to share the details — let’s dive in!

This write-up highlights the importance of choosing the right subdomain when hunting for injection-based vulnerabilities like Reflected XSS (RXSS). Many hunters focus on the main domain, but weaker security often lies in less obvious subdomains.

By targeting one with relaxed security, I found an RXSS vulnerability that could have been missed on the main site. Here’s how I did it :))

At first, I was looking for the latest subdomains, and one of the easiest ways to do that is Google Dorking. By using the dork:

site:*.target.com/ -www

and then adjusting search tools to filter results by the latest dates, I was able to uncover newly indexed subdomains that might have weaker security measures.

And so, I found a suitable subdomain with a search input that didn’t filter user input properly. It seemed to reflect the input inside a JavaScript context like this:

<script>
fbq('track', 'Search', {
    search_string: 'The word'
});
</script>

This indicated a Reflected XSS vulnerability, as I could inject arbitrary JavaScript into the page.

So, I used the following payload to bypass the filters and trigger the XSS:

'});alert(document.cookie);</script>

This successfully executed in the browser, confirming the Reflected XSS vulnerability :))

Unfortunately, I didn’t get a bounty since it was a VDP (Vulnerability Disclosure Program).

Press enter or click to view image in full size

See you soon! Hope you found this write-up useful. More vulnerabilities coming soon, so stay tuned! Don’t forget to support, share, and follow me on Twitter. Thanks for reading!