How I found an XSS via multiple parameters

Erick Fernando
2 min readNov 7, 2023

Hello everyone, after receiving a generous reward at Bugcrowd for an XSS, I would like to share a discovery from a Bug Bounty I found a while back while using a fuzzer to explore open redirects and XSS.

I found a way to exploit open redirects and XSS using multiple parameters in the URL that manipulate frontend links, possibly in Ruby On Rails applications, [and this is the 3rd time I’ve found this in a Bug Bounty program].

By using the parameters “?protocol=A&host=X&subdomain=B&domain=C” all together without exception in the URL, it forces the application to change some links in the HTML to href=”A://B.C,” allowing for open redirect and XSS exploitation.

In open redirect, it is exploitable using:


This changes the links to href=

When using:


The links become:


And when the link is clicked, it executes the XSS:

And as mentioned above, an XSS was reported, and the company accepted it as a high-severity vulnerability and paid $1000 dollars through Bugcrowd:

For those who are interested, I created a nuclei template to explore and find this: