How I found an XSS via multiple parameters

Erick Fernando
2 min readNov 7, 2023

Hello everyone, after receiving a generous reward at Bugcrowd for an XSS, I would like to share a discovery from a Bug Bounty I found a while back while using a fuzzer to explore open redirects and XSS.

I found a way to exploit open redirects and XSS using multiple parameters in the URL that manipulate frontend links, possibly in Ruby On Rails applications, [and this is the 3rd time I’ve found this in a Bug Bounty program].

By using the parameters “?protocol=A&host=X&subdomain=B&domain=C” all together without exception in the URL, it forces the application to change some links in the HTML to href=”A://B.C,” allowing for open redirect and XSS exploitation.

In open redirect, it is exploitable using:

https://domain[.]com/?protocol=https&subdomain=evil&domain=com&host=X

This changes the links to href=https://evil.com

When using:

https://domain[.]com?protocol=javascript&subdomain=%25A0alert(document.domain)//&domain=X&host=X

The links become:

href=javascript://%A0alert(document.domain)//.C

And when the link is clicked, it executes the XSS:

And as mentioned above, an XSS was reported, and the company accepted it as a high-severity vulnerability and paid $1000 dollars through Bugcrowd:

For those who are interested, I created a nuclei template to explore and find this:

https://github.com/erickfernandox/nuclei-templates/blob/main/multiple-parameters-manipulation.yaml

--

--