First off, I’d like to say thank you to everyone who’s followed and helped me learn different target points and attacks for web testing.
In this story, I will be telling how a flash file led me to an XSS — however, I will not be disclosing the website due to their privacy and respect. 😊
Let’s start.
You will need an XSS swf. That XSS swf file can be obtained through: https://github.com/evilcos/xss.swf — download the file and then upload to the server you’re testing on for Bounty Hunting!!
Once you see the file is on the server and doesn’t ask you to download/reflects on the server, that’s when you put your XSS code.
Simply add ?js=alert(document.domain); at the end of your .swf and it should display the XSS.
Screenshots:
Time and date for payout:
Mon, Oct 29, 2018 10:51 AM - XSS found and reported the same day.Wed, Oct 31, 2018, 9:56 AM - An investigation was done by their security team.Nov 19, 2018, 8:18 AM - Payout of $200 USD was sent to my PayPal.
Thank you for all reading and hope this helps you in your quest for bounty hunting. 😎
If you have any questions or comments, feel free to message me on Twitter @Skeletorkeys