Reflected Cross site scripting on reddit website (bounty awards $5000)
Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow this three mantras, you will undoubtedly achieve success.
Any confusion related to your finding or career Connect with me 1:1 click on 👉🏻(TOPMATE)
For this write you need to understand it is not luck or something like that i have recon in very deep sometime you need to grind yourself by doing recon activity…….
Let’s start,
Step to Reproduce:
- Visited reddit website.
- register yourself & you will be going to get one email verification link on registered email.
- copy that link on browser and add payload after /Verification as shown https://www.reddit.com/verification/asd',%20alert(document.location),%20%27
- It will be pop up with two option verify email or cancel.
- click on verify email xss payload will execute.
Impact
An attacker can use XSS to steal your cookies, steal sessions, download malware onto your system, and send a custom request. The attacker can socially engineer users by redirecting them from the real website to a fake one, and there are numerous other attack scenarios that an expert attacker can perform with XSS. It is also possible to inject HTML, which will change the original page.
Although finding this is easy but you need to learn from this write up that it can be a huge loss for the company if someone steals your cookies, steal sesion and able to download onto your system.
Thank you for reading !! hope you get to learn some tricks.
Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
To encourage me to write more, follow me on medium and click the clap icon.